Canvas breach hits Indiana University, MCCSC as hackers threaten data leak

In the middle of the end-of-semester grading period for Indiana University, faculty and students are dealing with a major global security breach of Canvas, which is an online learning platform used by thousands of educational institutions. The university’s system is still shut down as of early afternoon Friday (May 8), after the system was first disrupted late Thursday afternoon.

Based on email communications to faculty, Indiana University officials appear to be focused mid-day Friday on collecting information about which courses have been impacted, either by disruption of exams or student work assignments. End-of-semester grading issues will be handled separately.

The Canvas platform is also used by Monroe County Community School Corporation, which has also been affected. According to an MCCSC spokesperson, on Friday the district still has Canvas disabled “out of an abundance of caution.” According to MCCSC, teachers will be flexible on student assignments and grading.

MCCSC says the following data is safe, because it’s not stored on Canvas: birth dates; state testing numbers (STNs); and Canvas passwords. The data that might be compromised, according to MCCSC includes: student name; MCCSC student email address; any additional contact information users added to their Canvas profile.

The update from MCCSC sent to families on Wednesday (May 6) stresses that there is no confirmation that student names or email addresses were exposed in the Canvas data breach. According to MCCSC, additional protections are in place for student email addresses: They can receive messages only from MCCSC contacts.

Canvas is an online learning platform made by the parent company, Instructure, which schools use to manage classes, assignments, grades, quizzes, and communication between students and instructors. Colleges and K–12 districts typically connect Canvas to their enrollment and login systems so students can access coursework and submit assignments through a single online portal.

Claiming responsibility for the breach is a group called Shinyhunters. According to Wednesday’s update from MCCSC, the district was notified on May 5 by Instructure that MCCSC was among the organizations impacted by a Canvas data breach. According to MCCSC, Instructure detected the incident on April 29, immediately revoked access, and addressed the underlying vulnerability to Canvas.

When Indiana University students logged on to Canvas a warning appeared:

==========
SHINYHUNTERS
rooting your systems since ’19 ;)

ShinyHunters has breached Instructure (again).
Instead of contacting us to resolve it they
ignored us and did some “security patches”.

△ WARNING

If any of the schools in the affected list are
interested in preventing the release of their
data, please consult with a cyber advisory firm
and contact us privately at TOX to negotiate a
settlement. You have till the end of the day by
12 May 2026 before everything is leaked.

Instructure still has until EOD 12 May 2026
to contact us.

▼ DOWNLOAD AFFECTED_SCHOOLS.TXT ▼
91.215.85.103/pay_or_leak/instructure_affected_schools_list.txt

visit us: shnyhntww34phgoa6dcgnvps2yu7dlwzmy5
Lkvejwjdo6z7bmgshzayd.onion
==========

The directory of affected organizations in the index of the URL in the warning message includes taunting filenames typical of “name-and-shame” extortion efforts.

Based on the file names, the targets appear to include: universities and education companies like Harvard University, the University of Pennsylvania and Infinite Campus; tech and media platforms like Vimeo, SoundCloud and Udemy; retailers including Zara and 7-Eleven; financial and real estate firms like Betterment, Berkadia and Marcus & Millichap; the passenger railway, Amtrak; and security firms like ADT and Alert 360.

Several of the posted archives are very large, including files labeled for ZenBusiness at 802 GB, Addi at 483 GB and Zara at 130 GB.

Not obviously included in the index are Indiana University or MCCSC.

In its Friday morning update, Indiana University acknowledged that some other institutions have already brought their Canvas platforms back on line, but indicated IU is taking a cautious approach, focusing on securing information: “While we are aware that a small number of institutions have seen Canvas functionality reestablished, our priority remains to restore service as soon as possible while also protecting IU’s data security.”

Indiana University has set up a status page on the Canvas outage.