ShinyHunters Gang Defaces Canvas Portals at Hundreds of US Colleges

The ShinyHunters extortion gang defaced Canvas login portals at hundreds ^[1] of colleges and universities across North America on Thursday, May 7, 2026.

This breach targets the primary learning management system used by a vast number of academic institutions. By compromising the login gateways, the attackers have disrupted student and faculty access while leveraging the threat of data leaks to force payments.

The defacements began around 1:02 p.m. ^[3] on Thursday. The attackers targeted platforms hosted by Instructure, the company behind Canvas, affecting institutions throughout the U.S. and Canada [4, 5]. At the University of California San Diego, the compromise was noted specifically at 1:02 p.m. ^[3].

ShinyHunters is using the defacement as a public signal for their extortion efforts. The group issued ransom demands to the affected schools, threatening to leak stolen data if the payments are not received by a set deadline [2, 4].

According to reports, the group set a payment deadline of May 12, 2026 ^[2]. However, other reports indicate the group may have moved this deadline again ^[4].

The scale of the attack is significant because it hits the centralized infrastructure that schools rely on for grading, assignments, and communication. Because the portals themselves were defaced, the attack is visible to every student and staff member attempting to log in, a tactic designed to increase pressure on university administrations to comply with the ransom demands [1, 6].

Instructure platforms serve as the digital backbone for these institutions. The coordinated nature of the defacement suggests a widespread vulnerability or a targeted campaign against the service's login portals [5, 6].