The notorious hacking group ShinyHunters claims to have stolen 3.65 TB of student data, putting the PII of 275 million users at risk.
The global education sector is facing its most significant cybersecurity crisis to date. On May 9, 2026, the hacking collective ShinyHunters announced the successful breach of Instructure’s Canvas Learning Management System (LMS). The group alleges to have exfiltrated 3.65 TB of sensitive data, compromising the records of approximately 275 million students and faculty across 9,000 institutions globally.
Preliminary analysis of sample data provided by the hackers has been verified by independent security researchers. The stolen archive reportedly includes full Personally Identifiable Information (PII), including full names, home addresses, dates of birth, academic transcripts, and billions of private direct messages. The breach also involves hashed login credentials and session tokens, posing an immediate risk of large-scale account takeovers.
ShinyHunters, known for previous high-profile breaches of AT&T and Ticketmaster, claims to have gained access via a misconfigured S3 bucket and an exposed API endpoint used by several third-party integrators. This "supply chain" approach allowed them to bypass Instructure's core security perimeter and harvest data at the orchestration layer.
In a bold escalation, ShinyHunters defaced several high-traffic Canvas login portals with a countdown timer. The group is demanding a massive cryptocurrency ransom to be paid by May 12, 2026. Failure to comply, they claim, will result in the public sale of the entire dataset on underground forums. This incident highlights the catastrophic risk associated with centralized educational platforms that serve as single points of failure for entire nations' learning infrastructure.
Educational institutions are being urged to initiate immediate, universal password resets and audit all Third-Party Integrations that have OAuth access to their Canvas environments. Organizations should also monitor for anomalous spikes in API traffic and unauthorized lateral movement within their student information systems. As one researcher noted, "This isn't just a data leak; it's a structural compromise of the digital classroom."