Canvas ransomware attack — Canvas E-learning platform is hacked by ShinyHunters. Image by Cybernews.

Listen to this article

Hackers have published a massive list naming Harvard, Oxford, and MIT among thousands of educational institutions allegedly caught in the expanding Canvas data breach.

ShinyHunters is continuing its vendetta against the developer of Canvas learning management system (LMS), which is one of the most widely used learning platforms in the world.

According to ShinyHunters’ post, which went live on the dark net on May 3rd, the breach could affect up to 275 million individuals and nearly 9000 institutions, including students, teachers, and institutional staff.

The group also alleges it has obtained “several billion” private messages exchanged within the platform, potentially exposing sensitive conversations between students, educators, and administrators.

The gang has now dropped the full list of affected educational institutions. The file contains approximately 8,809 educational institutions, including higher education institutions and high schools from at least 10 different countries.

Among the listed educational institutions are Amazon, Apple, and Cisco, suggesting that corporate clients might have used the LMS for employee training.

Most of the entries are from the US, followed by Australia, the UK, and Sweden. While the scope is not yet verified, the numbers could be very high, with the extensive list suggesting that at least 47.4 million students worldwide could be affected.

Among the victims are the most prominent educational institutions in the world, including:

Harvard Univesity
Stanford University
Massachusetts Institute of Technology (MIT)
University of Oxford
Princeton University
Columbia University
University of Cambridge (via Cambridge University Press entry)
Cornell University
UC Berkeley
Georgetown University

ShinyHunters has extended its ultimatum to May 7th, awaiting the company's response and a negotiation. The attackers threaten to publicly leak all the stolen data if the company does not negotiate.

The incident was contained, but the investigation is ongoing

On Saturday, Instructure Holdings, the company behind the widely used LMS, claimed that the incident had been contained, but the investigation is ongoing.

Steve Proud, the company's Chief Information Security Officer, stated that the security team revoked privileged credentials and access tokens associated with the affected systems.

Also, the company has deployed patches to enhance system security and implemented increased monitoring across all platforms.

Don't miss our latest stories on Google News. Add us as your Preferred Source on Google

The company confirmed that the affected data includes names, email addresses, student ID numbers, and user messages.

“We have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved,” Proud claimed.The company did not provide any additional comments when Cybernews reached out.

Ivy League students at risk of phishing

Exposed data on this scale is extremely dangerous, as it enables attackers to craft highly targeted social engineering campaigns. It also helps them to identify high-value targets.

Some of the yearly tuition fees at the affected universities exceed $70,000, putting students at these universities' elite schools at heightened risk.

Cybernews researchers say that it’s very common to use such an exposed dataset in phishing campaigns. Attackers could impersonate teachers, administrators, or classmates, crafting messages that feel convincingly real. It could also cause operational disruptions within educational institutions.

Who are ShinyHunters?

ShinyHunters has recently made multiple high-profile attacks. The group looted 6.2 million records from Dutch telecom Odido in a Salesforce heist that triggered a class action and a criminal investigation.

In March, it dumped 350GB of data stolen from the European Commission. The gang then threatened US tech giant Cisco's Salesforce, and exposed nearly a million accounts from fintech firm Figure and 9 million records from Amtrak.

Canvas is not the only student platform that ShinyHunters has targeted. It compromised 11 million students through the school software firm Infinite Campus in March.

Check if your data has been leaked

Find out if your email, phone number or related personal information might have fallen into the wrong hands.

18,611,353,922

Breached accounts

36,030

Breached websites

Financial giants Ameriprise Financial and Mercer Advisors were also targeted this year. Identity protection firm Aura saw 900,000 records leaked. GTA’s creators, Rockstar Games, confirmed it was among the latest names added to the list.

The gang built its name by stealing and selling data on dark web forums. In 2025, it pivoted to vishing campaigns targeting enterprise Salesforce environments.

Security researchers tie the group to a broader supergroup alongside Scattered Spider and LAPSUS$, all sharing overlapping members and roots in the youth cybercrime subculture known as "The Com."

Arrests across Canada, France, Turkey, and Finland seem to have done nothing to slow the pace of the attacks.

Unlock more exclusive Cybernews content on YouTube.