When Rutgers University told its 70,000-plus students and staff on May 6 that their Canvas accounts had been caught up in a nationwide security breach, the message carried a familiar reassurance: the vendor was handling it. Six days later, on May 12, Rutgers relayed a second update saying Instructure, the company behind Canvas, had reached an agreement with the attackers to delete 3.65 terabytes of stolen student data. The breach was resolved, Instructure said. Then ShinyHunters, the cybercriminal group responsible, reportedly broke back in.
What ShinyHunters took and who is exposed
The breach targeted Canvas, one of the most widely deployed learning management systems in the United States, used by K-12 districts and universities to handle everything from grade books and assignment submissions to internal messaging and exam proctoring. According to Instructure’s communications to institutional customers, the stolen data included student ID numbers, names, email addresses, and messages exchanged through the platform. The company’s chief information security officer confirmed those categories publicly.
The claimed scale is enormous: 3.65 terabytes of data spanning 8,809 schools. Those figures originate from sources associated with the attackers and have been widely reported, but Instructure has not publicly confirmed or disputed the specific numbers. No independent audit or regulatory filing has verified the count. What is not in dispute is that Instructure acknowledged the breach occurred and that it engaged directly with the group responsible.
Instructure told customers that highly sensitive records such as Social Security numbers and financial information were not believed to be part of the exfiltration. But the data that was taken is far from harmless. Student IDs, institutional email addresses, and internal message histories give attackers the raw material for highly targeted phishing campaigns. A fraudulent email referencing a real course name, a real instructor, or a real assignment carries far more credibility than a generic scam.
Who is ShinyHunters
ShinyHunters is not an unknown or amateur operation. The group first gained widespread attention in 2020 after breaching Tokopedia, Indonesia’s largest e-commerce platform, and leaking 91 million user records. Since then, the collective has been linked to intrusions at Microsoft’s GitHub repositories, the clothing retailer Bonobos, and a string of other high-profile targets. In 2024, ShinyHunters was connected to the massive AT&T and Snowflake-linked breaches that exposed call and text metadata for roughly 110 million AT&T customers. The group has also been associated with the operation of BreachForums, one of the most prominent dark-web marketplaces for stolen data, which has been seized and relaunched multiple times.
That track record matters here. When Instructure announced it had secured an agreement with ShinyHunters to delete the stolen Canvas data, it was describing a handshake deal with a group that has built its reputation on monetizing exactly this kind of information. Security researchers have long warned that paying ransoms or negotiating deletion agreements with cybercriminals offers no reliable guarantee. Attackers can copy stolen files to multiple locations before any negotiation begins, and there is no enforcement mechanism to ensure compliance.
The second intrusion changes the calculus
The most consequential development is the reported second breach. After Instructure publicly characterized the situation as resolved, ShinyHunters reportedly accessed Canvas systems again. Instructure has not issued a direct public statement addressing this second intrusion, and the company has not disclosed whether the original vulnerability was never fully patched, whether the attackers retained valid credentials or access tokens, or whether an entirely different entry point was exploited.
Each of those scenarios carries different implications for the 8,809 schools that rely on Canvas for daily instruction. A lingering, unpatched vulnerability would point to systemic weaknesses in Instructure’s security program. Retained credentials would suggest the initial incident response failed to fully revoke attacker access. A separate, unrelated compromise would underscore how persistently threat actors target major education platforms. Regardless of the cause, the second intrusion undermines the central assurance Instructure gave its customers: that the matter was settled.
Universities are flying blind
The Rutgers notices illustrate a structural problem that extends well beyond one university. Rutgers did not conduct its own forensic investigation of Canvas’s infrastructure. It could not. The university licenses Canvas as a hosted service and has no direct access to Instructure’s servers, logs, or security architecture. Instead, Rutgers served as a conduit, translating Instructure’s corporate statements into guidance for its community. That dynamic is standard across higher education, where institutions outsource core academic technology to vendors and depend on those vendors to manage both the platform and any incident response.
The result is an information asymmetry that leaves schools in a difficult position. Administrators must reassure students and faculty while acknowledging, at least internally, that they have limited independent knowledge of what happened. IT departments issue password-reset advisories and phishing warnings, but they cannot answer the questions their users most want answered: Is my data still circulating? Has the vulnerability been fixed? Will this happen again?
Federal law adds another layer of pressure. The Family Educational Rights and Privacy Act, known as FERPA, governs the handling of student education records and places obligations on both institutions and their vendors. When a third-party service provider suffers a breach involving student data, the institution that shared that data under its FERPA obligations may face scrutiny from the U.S. Department of Education. State data breach notification laws impose additional requirements, often mandating direct notice to affected individuals and filings with state attorneys general when personal information is exposed at scale. Whether Instructure has completed those filings is not confirmed in available reporting.
What affected students and staff should do now
Given the uncertainty around whether the stolen data was actually deleted, anyone who has used Canvas at an affected institution should treat their information as potentially compromised. Concrete steps include:
- Change your Canvas password immediately, and change it on any other account where you used the same password or a similar one.
- Enable multi-factor authentication on your university email and any linked accounts. If your school offers an authenticator app option rather than SMS-based verification, use it.
- Watch for phishing emails that reference specific courses, instructors, or university offices. Attackers armed with stolen Canvas messages can craft convincing lures. Verify any unexpected request by contacting your institution’s IT help desk directly.
- Monitor your financial accounts and consider placing a fraud alert or credit freeze with the three major credit bureaus (Equifax, Experian, and TransUnion), especially if you are a student who may not check credit reports regularly.
- If your institution offers free identity monitoring as part of its breach response, enroll in it.
What Instructure still owes its customers
As of mid-May 2026, Instructure has not released a public incident report detailing how the initial breach occurred, what technical vulnerabilities were exploited, what specific remediation steps were taken, or how the reported second intrusion was possible after the company declared the matter resolved. No statement from the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), or any state attorney general’s office has surfaced in connection with this breach.
Those gaps matter. An agreement with a cybercriminal group is not the same as a verified remediation. It does not demonstrate that the underlying security weaknesses have been identified and fixed, and it does not provide affected individuals with the information they need to assess their own risk. Until Instructure publishes a detailed technical accounting, or until regulatory disclosures fill in the blanks, schools and their communities are left planning for a worst-case scenario while hoping the actual exposure is narrower than the attackers claim.
The Canvas breach is already shaping up as a case study in the risks of concentrating critical education infrastructure in the hands of private vendors who operate largely outside public view. For the millions of students whose records may now be in criminal hands, the lesson is more immediate: when a company says it struck a deal with hackers to make a breach go away, that is not the same as making it go away.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
