ShinyHunters Claims 275M Records from Canvas LMS Breach, 9,000 Schools Exposed Before May 12 Ransom Deadline

ShinyHunters, a notorious threat actor, claims to have stolen 275 million records from Canvas LMS, the learning management system used by thousands of educational institutions worldwide. The breach, confirmed by Instructure on April 29, allegedly exposed usernames, email addresses, student IDs, and billions of private messages across 8,809 schools. A ransom deadline has been set for May 12, escalating pressure on one of the most widely deployed education platforms globally.

Instructure confirmed that the attack vector was Free-For-Teacher accounts, which have since been shut down. ShinyHunters provided BleepingComputer with a detailed list of affected institutions and per-school record counts, lending credibility to the scope of the claim—though the 275 million figure and the volume of private messages remain unverified. The list includes elite universities such as Columbia, Princeton, Harvard, and Georgetown, alongside Rutgers, Kent State, and major school districts across at least 12 U.S. states. International exposure extends to institutions in the United Kingdom, Australia, New Zealand, Sweden, and the Netherlands.

The operational fallout is already materializing. The University of Texas at San Antonio postponed Friday finals, while the North Carolina Department of Public Instruction severed Canvas access from NCEdCloud entirely. Multiple universities instructed students not to log in as investigations continue. Canvas has restored service, but the incident raises urgent questions about the security of centralized education platforms that aggregate sensitive student data at massive scale. With the ransom deadline looming and the full extent of exposed private communications still unclear, institutions face difficult decisions about notification, remediation, and whether student messaging data could be weaponized for further exploitation.