Students across several universities are reporting major disruptions on Thursday after the Canvas LMS, a cloud-based learning management system used by universities, schools, and training organizations, began showing what appeared to be a defacement message linked to the cybercrime group ShinyHunters.
The incident follows earlier disclosures from Instructure, the company behind Canvas LMS, confirming unauthorized access to parts of its systems.
One of the affected portals included canvas.vt.edu, where users were greeted with a ransom-style message claiming ShinyHunters had “breached Instructure again.” The page warned universities listed in an attached file to contact the group before May 12, 2026, or face the public release of stolen data. The message also accused Instructure of ignoring prior contact attempts and applying “security patches” instead of negotiating.
Hackread.com spoke with students at the University of Colorado Colorado Springs, who said classes were disrupted around 1 p.m. local time. local time as access to Canvas services became unstable. Similar complaints surfaced on social media and university discussion channels from students who said assignments, course files, and exams became inaccessible during the outage.
Instructure had already acknowledged a cybersecurity incident earlier this month after ShinyHunters claimed responsibility for stealing data linked to thousands of schools and universities using Canvas.
The company confirmed that exposed information included names, email addresses, student ID numbers, and internal Canvas messages. According to Instructure, there is currently no evidence that passwords, financial records, government identification numbers, or birth dates were accessed.
However, the scale claimed by the threat group is massive. ShinyHunters alleges it exfiltrated 3.65TB of data connected to nearly 9,000 institutions and roughly 275 million users worldwide. Those numbers have not been independently verified, though several cybersecurity outlets and researchers tracking the case say the campaign appears extensive.
For context, many institutions use Canvas LMS for coursework, assignment submissions, exams, grading, messaging, and attendance tracking. Even a temporary outage can disrupt classes during finals week or assignment deadlines. Several schools have already warned students to stay alert for phishing emails and fake password reset messages that may follow the breach.
The defacement message seen on canvas.vt.edu suggests the attackers wanted visibility as much as leverage. Rather than quietly leaking data, the group appeared to target a public-facing university login portal to amplify pressure on affected schools. At the time of writing, it remains unclear whether the page compromise came from direct access to university infrastructure, a shared Canvas environment issue, or another connected service.
ShinyHunters has been linked to several high-profile extortion and data theft campaigns over the past few years, often targeting cloud platforms, SaaS providers, and identity systems. Hackread.com has been tracking the group’s activity, which shows its operations frequently involve stolen credentials, third-party integrations, and data extortion tactics instead of ransomware encryption.
Instructure has not publicly confirmed the full extent of the latest disruption linked to the defaced login page. Investigation efforts are ongoing, and more universities are expected to release statements as they determine whether their systems or user data were affected.
