An infamous cyber gang has given U.S. colleges and universities until May 12 to either pay a ransom or face the leak of troves of sensitive information – including billions of private messages between students and their instructors – that the group hacked from the widely-used Canvas learning management system.
The breach impacted nearly 9,000 educational institutions worldwide, spanning both K-12 and higher education across the globe. Nir Kshetri, a business professor and cybercrime expert at the University of North Carolina at Greensboro, told The EDU Ledger, “Since the attack involves sensitive data, some might pay."
Here are five key things to know about the attack, which disrupted final exams, instruction, and coursework at scores of institutions of higher education in the U.S. and around the world just as they were trying to wind down the 2025-2026 academic year.
#1. The breach affected institutions that use Canvas
Canvas is a widely-used learning management system that is run by Instructure, a company that boasts of being the “O.G. champions of open edtech.”
Edutechnica reported in May 2025 that Canvas has the highest share of the learning management system market in the U.S.
“Thirty million users — including at half of the higher education institutions in North America — rely on Canvas to manage courses, submit assignments, view grades and facilitate communication,” observes NPR, citing information from Instructure.
In the U.S., Canvas clients include Harvard, MIT and Rutgers, to name a few.
#2. Usernames and other sensitive information taken
The breach involved the “unauthorized access” to data fields that included “information like usernames, email addresses, course names, enrollment information and messages,” Steve Daly, CEO of Instructure, said in a company update in which he also apologized for not sharing more information with affected parties sooner.
“Core learning data (course content, submissions, credentials) was not compromised,” Daly stated. “We're still validating all findings, but we want to be clear about what we understand was and wasn't affected.”
Bloomberg reported that a company investigation had found “no evidence that passwords, dates of birth, government identifiers or financial information were taken.”
#3. The FBI is ‘aware’ of the attack
Instructure first told the FBI, the US Cybersecurity and Infrastructure Security Agency and law enforcement agencies around the world about an initial breach on April 29, followed by a related breach on May 7, according to Bloomberg.
The FBI advised potentially affected Canvas users to not send payment or respond to the demands of anyone who claims to have their data, according to a message the agency posted on Facebook.
“By receiving a message, that does not necessarily mean your personal information has been compromised,” the FBI stated. “Threat actors often exaggerate or fabricate their access to sensitive or personal information to prompt payment from victims.”
The FBI advised individuals who are worried about their personal information being exposed to await formal guidance from their school. It also said people can file a complaint with the Internet Crime Complaint Center, also known as IC3.
#4. A cybergang known as ‘ShinyHunters’ has claimed responsibility
ShinyHunters, “threat actor group” that burst onto the scene in 2020 with their purported theft of more than 200 million records from 13 companies, has claimed responsibility for the Canvas cyberattack, TechRadar reports.
While the group operates in obscurity on what is known as the “dark web,” police and prosecutors in the U.S. have unmasked at least one of its members and sent him to prison.
Sebastien Raoult, also known as “Sezyo Kaizen,” was nabbed in Morocco in 2022 and extradited to the U.S. in January 2023, according to the Department of Justice.
A year later in January 2024, the young French national was sentenced to three years in federal prison and ordered to pay more than $5 million in restitution for his role in what a prosecutor called an “extensive computer hacking that caused millions of dollars in losses” to companies and “unmeasurable additional losses to hundreds of millions of individuals whose data was sold to other criminals.”
“Mr. Raoult’s motive was pure greed,” said the prosecutor, Criminal Chief Sarah Vogel of the Western District of Washington. “He sold hacked data. He stole people’s cryptocurrency. He even sold his hacking tools so that he could profit while other hackers attacked additional victims.”
In spite of a judge calling Raoult’s crime an “extraordinarily serious offense,” Raoult got out of prison in November 2024, well short of his three-year prison sentence, a Federal Bureau of Prisons online database shows.
#5. The group is threatening to leak ‘everything.’
The notorious international hacking crew apparently grew upset when its initial ransom demands were not met.
“ShinyHunters has breached Instructure (again),” the group stated in a “welcome” message posted on the Canvas websites for 330 institutions, according to TechRadar. “Instead of contacting us to resolve it they ignored us and did some ‘security patches.’”
It went on to advise the affected schools that if they were interested in preventing the release of their data, to “please consult with a cyber advisory firm” and to contact the gang privately via an encrypted instant messaging site called Tox to “negotiate a settlement.”
“You have till the end of the day by May 12 2026 before everything is leaked,” the message stated.
