On May 3, cybercrime group ShinyHunters claimed responsibility for breaching Instructure — the parent company of Canvas — reportedly compromising the data of hundreds of millions of users, including 306,000 at Penn.
Included in the information obtained by ShinyHunters — notorious in the hacking community for large-scale data breaches targeting major corporations — are emails, names, Penn ID numbers, and course enrollments. According to a spokesperson for the group, the hackers intend to leak the full contents of the data by May 8 unless contacted by either Instructure or the affected schools.
The cybercrime group’s spokesperson also alleged it is also in possession of “billions of private messages among students, teachers, and other staff which may contain other additional information like phone numbers and home addresses.”
The Daily Pennsylvanian was able to confirm the group obtained Penn user data after a ShinyHunters member shared a sample of the stolen information, which included Canvas user accounts and internal messages between University students and faculty.
Vice President of Information Technology and Chief Information Officer Joshua Beeman wrote in a statement to the DP that “securing Penn’s data is our top priority.”
“Our Information Security team is collaborating with the affected vendor, industry professionals, and law enforcement to assess any potential impact on Penn,” Beeman added.
The same cybercrime group first targeted Penn in the fall of 2025, when it released thousands of internal files — such as donor records, internal memos, and other confidential University files. The hack became apparent on Oct. 31, 2025, when mass spam emails criticizing the University’s security measures and admissions practices were sent from email addresses affiliated with the Graduate School of Education.
In February, a ShinyHunters spokesperson told the DP that Penn failed to pay a $1 million ransom to prevent the release of stolen files.
On May 1, Instructure released a statement disclosing that it was the victim of a “cybersecurity incident perpetrated by a criminal threat actor,” and that the company was investigating the attack with third-party cybersecurity experts and law enforcement agencies.
A May 2 update from the company stated that the “incident has been contained.”
“Indications are that the information involved consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users,” Instructure’s statement read. “At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved.”
On May 3, ShinyHunters released 3.65 terabytes of data obtained from the hack on its forum. A message accompanying the cache stated that the group had user data from 275 million individuals along with “several billions of private messages.”
“This is a final warning to reach out by 6 May 2026 before we leak along with several annoying (digital) problems that’ll come your way,” the message continued. “Make the right decision, don’t be the next headline.”
Two days later, ShinyHunters published a list of the nearly 9,000 institutions affected by the breach — including all eight Ivy League universities. The May 5 post added that if schools contained in the file were “interested in preventing the release of their data,” they could “consult with a cyber advisory firm and contact us privately.”
“Instructure has not even bothered speaking to us to understand the situation or to even negociate with us to prevent the release of this data,” the May 5 message alleged. “Our demand was not even as high as you might think it is. The Company seemingly does not care about all the students affected and the institutions impacted by this data breach.”
The group’s spokesperson told the DP that they have not yet been in contact with any individual universities. They added that they have provided “an opportunity for all schools to contact us to prevent the release of their data latest by May 7.”
“We are still waiting for Instructure to contact us,” the ShinyHunters spokesperson wrote to the DP. “If not, we have also released another note which allows schools to contact us to prevent the release of their data. But everything will be leaked by May 8.”
In November 2025, a University spokesperson told the DP that Penn referred the October 2025 incident to law enforcement and the Federal Bureau of Investigation.
At the time of publication, it is unclear whether Penn has involved the federal agency in investigating the latest breach. A request for comment was left with an FBI spokesperson.
Jasmine Ni is the Executive Editor of The Daily Pennsylvanian, Inc. and can be reached at ni@thedp.com. At Penn, she studies English and political science. Follow her on X @JasmineNi_.
Click Here For The Original Source.
