If your child logged into Canvas today, they may have seen it—a dark screen, a monospaced typeface, and a countdown. Not a glitch. A ransom note.

On Thursday, the criminal extortion group ShinyHunters hijacked the login pages of Canvas, the learning management system used by an estimated 41 percent of schools in North America—including thousands of K–12 districts and community colleges across California’s Central Valley, East Bay, and beyond. The message was blunt: pay up, or student data gets dumped publicly by May 12.

This is not a rumor. Instructure—the Utah-based company that owns Canvas—has confirmed the breach. It began April 30.

What Was Taken

Instructure confirmed that the stolen data includes names, email addresses, student ID numbers, and private messages sent through Canvas—between students, between students and teachers, and between teachers and parents. The company says passwords, Social Security numbers, dates of birth, and financial information were not compromised.

ShinyHunters claims to have records on 275 million individuals across roughly 9,000 institutions in 10 countries. The U.S. institutions listed include every Ivy League university and a list of K–12 districts that has not been fully verified by any outlet. We are not linking to or downloading that file.

What We’re Asking Districts Right Now

RFA Investigations has submitted press inquiries to school districts across San Joaquin, Stanislaus, and Sacramento counties—including Manteca Unified, West Park Unified, Tracy Unified, Stockton Unified, and Delta College—asking three questions: Are you on the affected list? When did you notify families? And what is your timeline for disclosure under California Civil Code § 1798.29?

California law requires any agency that suffers a breach of personal information to notify affected California residents “in the most expedient time possible.” That clock started April 30. If your district has not contacted you yet, they may be running out of time under state law.

Why This Breach Is Different

Canvas isn’t just a gradebook. It is the primary communication channel between students, teachers, and parents at hundreds of thousands of schools. The private messages in the system contain detailed, personal, often sensitive conversations—students disclosing mental health struggles, parents raising safety concerns, teachers documenting behavioral issues. The exposure of that data is categorically different from a leaked email list.

ShinyHunters is not a new actor. In the past year alone, the group has claimed breaches of Ticketmaster, Infinite Campus, McGraw Hill, and—according to their own ransom letter—a prior Instructure incident the company addressed with security patches rather than disclosure.

Who Is ShinyHunters

ShinyHunters has operated as one of the most prolific criminal extortion groups in the world since at least 2019—their own site carries the tagline “rooting your systems since ’19.” They are not a ransomware gang in the traditional sense. They do not encrypt systems and demand a decryption key. They steal data, threaten to publish it, and demand payment for silence.

The Canvas breach is not an isolated operation. RFA Investigations documented ShinyHunters’ active extortion site this week, where Instructure appears alongside at least seven other corporate victims simultaneously—including ADT (10 million records), Udemy (1.4 million records), Aman Resorts (250,000-plus records), Cushman & Wakefield (500,000-plus records, flagged new as of May 7), and Marcus & Millichap (30 million records). The pattern is deliberate: the majority are described in nearly identical language as Salesforce record breaches. Instructure’s own ransom letter stated that “your Salesforce instance was also breached.” ShinyHunters appears to be exploiting a systematic access method across Salesforce-connected enterprise clients, running parallel extortion campaigns simultaneously.

Their published FAQ addresses court injunctions directly: “Many western countries have sent us court injunctions to prevent or censor the publication of their data. This does not stop us.” On the question of how long non-paying victims remain listed: “Indefinitely. We will make sure every corner of the criminal underground world has your data and is abusing it.”

What You Can Do Right Now

For parents and students:

  1. Change your Canvas password immediately—even if your district uses single sign-on, change the underlying email password as well.
  2. Contact your district’s IT department or superintendent and ask directly: “Is our district on the ShinyHunters affected list, and have you issued a breach notification?”
  3. If your child uses the same password across apps, change all of them. Credential reuse is how one breach becomes five.
  4. Be suspicious of any email or text claiming to be from your school, Canvas, or Instructure that asks you to click a link or confirm credentials. Go directly to the official site.

What We’re Watching

The May 12 deadline is imminent. If Instructure does not reach a settlement, ShinyHunters has stated it will publish the full dataset publicly—making 275 million student records available to any actor with a dark web browser. We will update this story as districts respond to our inquiries and as Instructure issues new guidance.

If you are a parent, teacher, or district employee with information about your school’s Canvas instance or notification status, contact us at tips@radiofreeamerica.press. We protect sources.

Press inquiry status — updated May 7, 2026: Inquiries submitted to Manteca USD · West Park USD · Tracy USD · Stockton USD · Delta College · Modesto City Schools · CDE Communications. Response deadline: May 9, 2026. Instructure press contact: no response as of publication.