The hacking group ShinyHunters has claimed responsibility for a cyberattack targeting Canvas, disrupting access for schools and universities across the United States.
Canvas, a cloud-based learning platform widely used by schools and universities, serves more than 30 million active users worldwide and is used by over 8,000 institutions, according to parent company Instructure’s website. Its sudden outage this week left thousands unable to study, submit work or contact instructors, at a time when students are typically studying for or taking their final exams.
The incident is the latest high-profile breach linked to the hacking group, which has recently been tied to attacks involving Pornhub and Vimeo as part of its broader “pay or leak” campaign targeting major online platforms and their users.
Newsweek has contacted Instructure for comment via email.
Who Is ShinyHunters?
ShinyHunters is a financially motivated hacking and extortion group that emerged between 2019 and 2020 and became known for breaching major companies, stealing customer data, and demanding ransom payments to prevent leaks. The group is linked to large-scale data theft campaigns targeting cloud services, SaaS (Software as a Service) platforms, customer databases and corporate login systems.
They have a long list of victims, having been linked with attacks on Ticketmaster, Rockstar Games, Salesforce, and Australian flag carrier Qantas.
In 2024, the U.S. Department of Justice (DOJ) announced the sentencing of a member of an international hacking group linked to the ShinyHunters. Prosecutors said the individual had posted stolen data from more than 60 companies for sale on dark web forums and threatened to leak sensitive information unless victims paid a ransom.
Canvas
Multiple schools reported outages on Thursday affecting Canvas, the web-based learning platform operated by Instructure that is widely used for course materials, assignments and grades.
“ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some ‘security patches’,” the group wrote in an online message.
The hackers also shared a link to a text file listing schools they claimed had been affected and warned institutions seeking to prevent the release of stolen data should contact them to negotiate a settlement. “You have till the end of the day by 12 May 2026 before everything is leaked,” the message said.
In a statement to TIME on Friday, Instructure said it had temporarily taken Canvas offline “out of an abundance of caution” while it investigated the incident and worked to contain unauthorized access.
The company said it had confirmed the attackers exploited an issue linked to its Free-For-Teacher accounts. “As a result, we have made the difficult decision to temporarily shut down our Free-For-Teacher accounts,” the statement said. “This gives us the confidence to restore access to Canvas, which is now fully back online and available for use.”
The disruption forced some universities to postpone exams and extend coursework deadlines, including Penn State, the University of Illinois and James Madison University in Virginia. School districts in California, Florida, Georgia, Oklahoma, Oregon, Nevada, North Carolina, Tennessee, Utah, Virginia and Wisconsin also reported disruptions linked to the incident.
Vimeo
In April, the ShinyHunters added Vimeo to its “pay or leak” extortion portal before publishing hundreds of gigabytes of stolen data online. The leaked material largely consisted of video titles, technical information and metadata, along with around 119,000 unique email addresses that were in some cases linked to usernames.
Vimeo said the exposure was tied to a breach involving Anodot, a third-party analytics provider, and stressed that the incident did not involve Vimeo video content, valid user login credentials or payment card information.
In a statement, Vimeo said: “We have identified that, as a result of the Anodot breach, an unauthorized actor accessed certain Vimeo user and customer data. Our initial findings suggest that the databases accessed primarily contain technical data, video titles and metadata, and, in some cases, customer email addresses.”
The company said Vimeo user and customer login credentials remained secure and the incident did not disrupt its systems or services. Vimeo added it had disabled all Anodot credentials, removed the analytics provider’s integration with Vimeo systems and brought in third-party cybersecurity experts to investigate the breach. Law enforcement agencies were also notified.
Vimeo said its investigation remained ongoing and it would continue taking additional security measures as more information emerged.
Pornhub
In late 2025, Pornhub confirmed it had suffered a cyberattack that hacking group ShinyHunters claimed responsibility for, according to information security and technology news outlet BleepingComputer.
The exposed data reportedly included premium users’ email addresses, search histories, viewing activity and location information. Pornhub said passwords, payment details and financial information were not compromised. The breach allegedly involved around 201 million records linked to premium members.
In a statement, Pornhub said: “We recently learned that an unauthorized party gained unauthorized access to analytics data stored with Mixpanel, a third-party data analytics service provider. The unauthorized party was able to use this unauthorized access to extract a limited set of analytics events for some users. This was not a breach of Pornhub Premium’s systems.”
The company added no passwords, credentials, payment details or government IDs were exposed, and said the affected accounts had since been secured to prevent further unauthorized access. Pornhub also said it had launched an internal investigation with cybersecurity experts and had contacted relevant authorities as well as Mixpanel.
Mixpanel told BleepingComputer it was aware of reports Pornhub had been extorted with allegedly stolen data but said it had found no evidence the information had been taken during its November 2025 security incident or through any breach of its systems.
The company said the data was last accessed by a legitimate employee account at Pornhub’s parent company in 2023, adding if the information was now in the hands of an unauthorized party, it did not believe it was the result of a Mixpanel security incident.
Read the full article here
