ShinyHunters Sets Tomorrow Deadline for Canvas Breach: 275 Million Student Records at Risk Across 9,000 Schools

The hacking group ShinyHunters has given Instructure, parent company of the widely-used learning management system Canvas, until May 12 to pay ransom or face the release of 275 million student records. Tomorrow's deadline places immense pressure on the education technology company as it remains unclear whether any payment has been made or negotiations are underway. Instructure has not publicly acknowledged any talks with the threat actors, who issued a direct "Pay or Leak" ultimatum after claiming the company was not engaging.

The breach exposes one of the largest concentrations of education sector data in recent memory. Affected institutions reportedly include Harvard, Columbia, Princeton, and Georgetown, among approximately 9,000 schools using Canvas platforms. The compromised data reportedly includes student names, email addresses, student identification numbers, and private messages. ShinyHunters exploited a vulnerability in the Free-For-Teacher account system to gain initial access, a vector that raises serious questions about the security architecture of open-tier educational platforms. Instructure first detected unauthorized access on April 29, meaning the company has known about the intrusion for weeks without confirming the full scope publicly.

The timing creates acute legal exposure. The Family Educational Rights and Privacy Act (FERPA) mandates that institutions notify affected individuals within 60 days of discovering a breach. With that clock running from late April, schools face imminent compliance deadlines—yet most have not informed students or parents that their data was compromised. The combination of elite institutional involvement, the volume of records exposed, and the coordinated silence from both Instructure and affected schools signals a deepening crisis with potential regulatory, legal, and reputational fallout for the higher education sector.