Criminal hacker group ShinyHunters breaches Canvas

An image of the hacker message on Canvas's website
Canvas was shut down on Thursday by a criminal hacking group, threatening to release data if affected schools do not contact them and reach a settlement by May 12. (Photo: Courtesy of ShinyHunters)
By Daniel Xu
Published May 7, 2026, 4:49 p.m., last updated May 7, 2026, 7:05 p.m.

This story is developing and will be updated accordingly. 

Criminal hacker and extortion group ShinyHunters claimed to have breached Canvas parent company Instructure, shutting down access to Canvas for students and faculty Thursday.

Canvas serves as Stanford’s “primary learning management system” and services 2,400 instructors and 19,000 students in 2,000 courses each quarter.

In a statement on Canvas’ website, ShinyHunters threatened to release the stolen data and told affected schools to “contact [them] privately at TOX to negotiate a settlement” by the end of the day on May 12. Shinyhunters also offered Instructure a similar ultimatum, giving the company until May 12 to reach out. The message included a .txt file, which allegedly contains a list of affected schools, as well as a .onion link to Shinyhunters’ website. The Daily has not confirmed the authenticity of the information.

At around 2 p.m., Instructure replaced ShinyHunters’ message with its own message, claiming that Canvas is “currently undergoing scheduled maintenance.”

At 2:43 p.m., the University released an AlertSU report about the outage and wrote that it “[does] not have additional details about the Canvas outage at this time.”

In an email to The Daily, Stanford’s Canvas Support team described the incident as a “cyberattack.” 

“We are in communication with the vendor and will provide updates as information is made available to us,” the Canvas team wrote. 

The Daily has reached out to Instructure for comment.

The attack marks the second time this week that ShinyHunters claims to have breached Instructure. On Sunday, ShinyHunters claimed to have stolen the information of over 275 million individuals, including “billions of private messages among students and teachers.” Instructure contested the claims, saying that they “have found no evidence” that passwords, dates of birth or other personal information had been leaked.

The group told The Daily Pennsylvanian that they plan to leak the Sunday data by May 8 unless Instructure or the affected schools contact them. The Daily Pennsylvanian confirmed that ShinyHunters had obtained access to University of Pennsylvania user data. 

ShinyHunters has a record of attacking universities. In November, the organization attacked Harvard University, the University of Pennsylvania and Princeton, ultimately leaking 1.2 million lines of data. The organization has also targeted many other organizations, including Google, Ticketmaster, AT&T and the European Union. 

Daniel Xu ’29 is the Vol. 269 Local Editor for News. He is also the author of two columns: "Ache of Home" and "And So We Thought." Contact him at danxu ‘at’ stanford.edu.

Print Article
The Stanford Daily

Login or create an account