Update 5/8/26 7:41 am est-canvas resumed
A strange warning appeared on Canvas, and for students trying to check assignments, grades, and course updates, it looked more like a ransom note than a normal school login page. The message claimed that ShinyHunters has breached Instructure again, and it included a warning, a deadline, and a download link labeled “DOWNLOAD AFFECTED_SCHOOLS.TXT.”
That is what makes the Canvas Instructure hack so serious.
This was not just a quiet backend cybersecurity issue. Students could see the message themselves. It appeared directly on a platform that colleges and schools depend on every day.
This appeared for about 45 minutes. Now other users’ students/instructors are reporting “canvas experiencing issues” or “undergoing scheduled maintenance.”
The Warning Students Saw on Canvas for 45 Minutes
The message opened with the name SHINYHUNTERS and the line:
“rooting your systems since ’19 ;)”
Then it stated:
“ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some ‘security patches’.”
The message then showed:
“⚠ WARNING”
It continued:
“If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement. You have till the end of the day by 12 May 2026 before everything is leaked.”
The next line said:
“Instructure still has until EOD 12 May 2026 to contact us.”
The most dangerous part for students was the download section:
“DOWNLOAD AFFECTED_SCHOOLS.TXT”
Under that, the message showed a download path connected to an IP address and a file named:
“instructure_affected_schools_list.txt”
“dUDES, ARE YOUR GUYS CANVAS DOWN”
-rEDDIT uSER
The download link is a major red flag because it appears inside a message connected to an extortion threat. Even if the file claims to be a simple list of affected schools, students should not download it, open it, copy it, or visit the address.
There is no reason for a student to interact with a file posted by a hacking group.
A link like this could be used to track visitors, spread malware, collect information, or lead people into another scam. The safest move is to take a screenshot, close the page, and report it to campus IT.
That is the key point.
Do not click the download link.
What Is Being Reported About the Canvas Data Breach
The hacker group ShinyHunters is claiming responsibility for the incident. Reports say the group claims it accessed data connected to thousands of schools and millions of users. The claimed exposed information includes names, email addresses, student ID numbers, course information, and private Canvas messages.
Reports also say there is no current evidence that passwords, birth dates, government IDs, or financial information were part of the exposed data. That does not make the situation harmless. Names, emails, student IDs, class details, and messages can still be used for targeted phishing.
That is why students should be careful with any email or message that says it is from Canvas, Instructure, financial aid, a professor, or campus technology support.
A fake message is easier to believe when it uses real school details.
What Students Should Do Now
Students should report the pop-up to their school’s IT department right away. They should include the screenshot, the time it appeared, and whether they clicked anything.
They should also avoid using any link from the warning page. Canvas should only be accessed through the official school website, official app, or direct link provided by the college.
Changing passwords is a smart step, especially if the same password was used on other accounts. Two-factor authentication should be turned on for school email, Canvas, financial aid portals, and any other student account.
Students should also email professors if Canvas access affects assignments or deadlines. This is not a normal technology glitch. It is a cybersecurity incident involving a major education platform.
The Bigger Problem for Colleges
The Canvas Instructure hack shows how dependent schools have become on one learning management system. Canvas is where students submit assignments, check grades, read professor announcements, message classmates, and access course materials.
When that system is disrupted, the classroom is disrupted.
Colleges now need to be clear with students. They should explain what happened, what data may have been exposed, what was not exposed, and what students should do next.
Students should not have to guess.
They should not have to find out through a ransom-style warning on the platform they use for school.