Canvas, the widely-used learning management platform owned by Instructure, went offline after confirming a major data breach affecting student records. The hacking group ShinyHunters claimed responsibility and threatened to leak the compromised data.
Canvas experienced an outage on Thursday as the platform dealt with fallout from a confirmed security breach. The incident exposed student names, email addresses, ID numbers, and private messages across multiple institutions.
ShinyHunters, the hacking collective behind the attack, posted a message to users attempting to access the system. The group claimed that Instructure ignored their breach notification and instead opted to apply "security patches" rather than engage in direct communication.
According to ShinyHunters' statement, the group threatened to leak data from schools using the platform if their demands were not met. The specific nature of those demands remained unclear, though the message suggested Instructure's response fell short of expectations.
Canvas serves thousands of educational institutions globally, making the breach a significant incident affecting students and faculty across multiple schools. The platform is essential infrastructure for many organizations, handling course materials, assignments, grades, and communications.
Instructure has not yet released a comprehensive public statement detailing the scope of the breach, the number of affected institutions, or their response timeline. The outage represents both a technical disruption and a security crisis that will likely prompt increased scrutiny of the company's data protection practices.
This marks another incident in a pattern of breaches affecting educational technology providers. Schools and students now face potential identity theft risks from the exposed personal information, including ID numbers that could facilitate fraud.
The situation highlights ongoing tensions between security researchers and large technology companies over breach disclosure and remediation processes. ShinyHunters' criticism of Instructure's handling suggests a breakdown in communication during the incident response phase.
Grok CLI experienced a critical bug that caused it to upload entire home directories to Google Cloud Storage. The issue sparked significant discussion in the developer community about data handling practices.
Aylo, Pornhub's parent company, will restore access to the site in the UK through Apple's device-level age verification system in iOS 26.4. The move requires users to complete age verification before accessing the platform.
Australia's eSafety Commissioner has identified significant gaps in how major tech platforms address online sexual extortion. Young men are reporting sextortion at higher rates than any other demographic, with over 2,000 complaints filed in just six months.
Angelo Martino, a ransomware negotiator, was sentenced to 70 months in prison for colluding with attackers to defraud victims. Martino helped orchestrate scams that extracted over $75 million from ransomware victims.