Hackers ShinyHunters send ransom notes to 9,000 schools as part of cyberattack impacting millions

The ShinyHunters hacking group has claimed responsibility for disrupting schools and universities across the US by infiltrating Instructure, the company behind the widely used learning platform Canvas.

Canvas is the leading Learning Management System (LMS) in North America, with its user base extending to tens of millions of students and teachers.

On 1 May, Instructure reported that it had 'experienced a cybersecurity incident perpetrated by a criminal threat actor'.

ShinyHunters - who previously hacked Pornhub - claimed in a ransom note that it breached 275 million individuals’ data and had access to 'several billions of private messages'.

"This is a final warning to reach out by 6 May 2026 before we leak along with several annoying (digital) problems that'll come your way. Make the right decision, don't be the next headline," their message read.

Second ransom message

ShinyHunters has issued a fresh warning to Instructure (ABC)

On 7 May, however, ShinyHunters' said via Ransomware.live that they hadn't heard back from Instructure and accused them of ignoring their demands.

“Instead of contacting us to resolve it, they ignored us and did some ‘security patches’,” the group wrote in a note sent to multiple schools.

"If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement. You have till the end of the day by 12 May 2026 before everything is leaked."

What has Instructure said?

Instructure said they are looking into the incident (Getty Stock Images)

After initially announcing that Canvas was back up, Instructure told Time in a statement Friday that 'out of an abundance of caution,' it temporarily took Canvas offline to investigate.

“We have confirmed that the unauthorized actor exploited an issue related to our Free-For-Teacher accounts,” the statement read.

“As a result, we have made the difficult decision to temporarily shut down our Free-For-Teacher accounts. This gives us the confidence to restore access to Canvas, which is now fully back online and available for use.”

Schools affected by hack include:

• Harvard University
• Penn State University
• University of Illinois
• James Madison University
• Columbia University
• Georgetown University
• University of Michigan
• University of California
• University of Chicago
• Baylor University
• University of Maryland
• University of North Carolina at Chapel Hill
• University of Pennsylvania
• University of Oklahoma
• Duke University

ShinyHunters said they have access to '275 million individuals’ data' (Getty Stock Images)

“This is being reported as a national-level cyber-security incident,” the director of information technology at the University of Iowa’s College of Public Health wrote in announcing that the school’s online system was down.

“Hopefully we will have a resolution soon.”

What do we know about ShinyHunters?

ShinyHunters, a hacking group reportedly made up of young cybercriminals, allegedly based in the US and UK, has claimed responsibility for attacks on Instructure and major companies including Ticketmaster, AT&T and Rockstar Games.

The group, formed in 2020, has been linked to data theft, ransom schemes and dark web sales.

In 2024, 22-year-old French citizen Sebastien Raoult, an alleged member of ShinyHunters, was sentenced to three years in prison and ordered to pay more than $5 million for conspiracy to commit wire fraud and aggravated identity theft.

LADbible Group has contacted Instructure for comment.