ShinyHunters, the hacker group behind the May 2026 breach of the Canvas learning management system, has set a ransom payment deadline of 12 May 2026, giving Instructure, the company that owns Canvas, until end of day tomorrow to pay or face the public release of 3.5 terabytes of stolen student data covering an estimated 275 million users globally.
The breach, which first surfaced in early May, crippled university systems across the United States during final examination season, taking down platforms at institutions including Harvard, UC Berkeley, and dozens of California State University campuses.
Canvas has since restored partial service through security patches, but the underlying threat has not gone away.
What the Canvas ShinyHunters ransom deadline means for Instructure
ShinyHunters claimed to have exfiltrated 3.5 terabytes of data from Instructure’s systems, including student names, email addresses, student ID numbers, and private messages. The group has told affected institutions and Instructure that they can negotiate a settlement, with May 12 as the hard cutoff date.
As of the time of publishing, there is no public confirmation that Instructure has paid a ransom or reached any settlement. The company has not issued a statement on whether negotiations are underway.
The silence is fairly standard in active ransomware situations, where paying publicly creates legal and reputational problems, as reported by Al Jazeera.
The May 12 deadline is significant because it changes the threat from theoretical to operational. After that date, ShinyHunters have indicated the data will be released, either in a public dump or sold to other criminal actors.
Who ShinyHunters are
ShinyHunters are not a new name in the world of large-scale data theft. The group has previously been linked to major breaches including Ticketmaster, Santander Bank, and AT&T, accumulating a track record that makes their deadline credible rather than empty posturing.
They operate in the dark web economy where stolen data translates directly into cash, either through ransom or resale.
The Canvas breach follows a pattern ShinyHunters has used before: target a platform with massive reach, exfiltrate in bulk, sit on the data publicly long enough to create pressure, then either collect a ransom or dump everything.
What happens next
Tomorrow’s deadline is the critical moment. If no payment or settlement is announced, the expectation from threat analysts is that the data dump begins. Affected institutions and students should treat their Canvas credentials as compromised and change any passwords linked to their Canvas accounts where those credentials were reused elsewhere.
Instructure has not yet said whether it intends to notify all affected users individually.
