Sikt said it was informed by Instructure on Thursday morning that a deal had been struck, but the agency was not aware negotiations were ongoing and did not encourage the company to negotiate. According to Sikt, there is always a risk with such agreements that data has already been copied or may appear later. It remains unknown how much Instructure paid the hackers, if anything.
The breach, claimed by the ShinyHunters group, hit universities and schools in the US, Canada, Australia, and Europe. 65 TB of data across roughly 275 million records from 8,809 educational institutions, and defaced Canvas login portals at about 330 institutions. The group later pivoted to direct school-by-school extortion with a final deadline of 12 May 2026.
Exposed data includes full names, email addresses, student ID numbers, and Canvas chats. ShinyHunters is a financially motivated gang formed in 2019 that operates a 'pay or leak' model without ransomware encryption. It has operational overlap with Scattered Spider, LAPSUS$, and SLSH.
The group exploits misconfigurations in common enterprise applications rather than advanced malware. This is its second breach of Instructure in eight months; the previous one in September 2025 targeted the Salesforce environment via social engineering. The attack was first detected on 30 April 2026 when Instructure reported disruptions affecting tools relying on API keys.
Instructure says the immediate threat is under control and there are no signs that passwords, birth dates, government IDs, or financial information were compromised, though the exposed data is sufficient for targeted phishing. In Sweden, 27 higher education institutions have reported suspected personal data incidents to the Swedish Authority for Privacy Protection (IMY). IMY has not yet determined if any actual leak occurred and advises students to be vigilant against phishing.
Uppsala University confirmed that data including names and email addresses has leaked. se, Katarina Adenmark, acting head of IT at Uppsala University, described the incident as unprecedented in scale. Mid Sweden University said integrations between Canvas and other systems were temporarily disabled as a security measure, but no Ladok data was compromised.
I cannot recall anything on this scale happening before.
University West has increased monitoring of Canvas. In Norway, nearly all colleges and universities use Canvas, and the contract is managed by Sikt. Sikt stated that Instructure discovered unauthorized access and it is likely data about Norwegian students and employees has been exposed.
NIH has notified the Norwegian Data Protection Authority. ShinyHunters has been active recently, breaching Dutch telecom Odido in February 2026 and claiming to have stolen 350 GB of data from the European Commission in March 2026. The breach caused Canvas to go offline, with some universities still reporting outages on Friday.
A ransom note appeared on screens at Mississippi State University, threatening to release stolen data unless a ransom was paid. The University of Sydney told students not to log in, and Idaho State University cancelled exams. Penn State University said a resolution was unlikely within 24 hours.
The University of British Columbia informed students of the cyber breach. Instructure detected the breach on 29 April 2026, exploiting a vendor system vulnerability, and revoked access. On 3 May, ShinyHunters published Instructure on its data leak site with a ransom demand.
The leak contains up to 231 million unique email addresses. Uppsala University students were met with threats of data leaks when trying to log in. There is no indication that more sensitive data like personal identity numbers have been leaked.
Uppsala University recommends guest account users change their passwords.