Editor’s Note: This is an ongoing breaking news story. Updates will be provided as they become available.
On May 7, Instructure, the parent company of Canvas, was infiltrated by an infamous cybercrime group referred to as ShinyHunters, notorious in the hacking community for large-scale data breaches targeting major corporations.
When students and faculty at Colorado State University went to log in to Canvas, they were met with a message from ShinyHunters warning that they had breached Instructure and gained access to private data.
“If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement,” the message reads. “You have till the end of the day by 12 May 2026 before everything is leaked.”
The message also included a downloadable text document and website URL that The Collegian has not attempted to access. Less than an hour after the original message from ShinyHunters appeared, the message was replaced by a Canvas maintenance page.
This cyberattack comes as tens of thousands of schools across the U.S. have been targeted by the group, including the university of Pennsylvania, Duke University, Harvard University, MIT and more. ShinyHunters demanded a ransom amount that remains officially undisclosed by Instructure, which has reportedly been paid in return for stolen data along with confirmation of data destruction and the digital safety of Instructure customers, according to an update from Instructure.
In a similar incident that recently impacted over 300,000 students at University of Pennsylvania, emails, names, ID numbers and course enrollments were all obtained by the group. The cybercrime group’s spokesperson also claimed that it had obtained billions of private messages between students, faculty and other staff that contained personal information including phone numbers and home addresses.
The attack follows an update that was originally sent May 6 by CSU System Information Technology Services that acknowledged the nationwide IT security incident and advised CSU community members to review cybersecurity resources and remain vigilant. The message was updated May 7 with more information about the current breach.
“At this time, we do not have an estimated timeframe for restoration,” the message reads. “Students should work directly with their instructor or faculty member regarding coursework, deadlines, or alternative instructions while access to Canvas is unavailable.”
Students and faculty are advised to avoid interacting with any information provided by ShinyHunters, nor should they install the text document linked or click any hyperlinks.
As of May 8, CSU System IT has restored functionality to both the Canvas webpage and mobile app.
Reach Claire VanDeventer at news@collegian.com or on social media @RMCollegian.
Click Here For The Original Source.
