After a security breach derailed access to the Canvas educational service across the U.S., the site was restored near the end of the day on Thursday, May 7, 2026, according to alerts published by Eastern Michigan University's IT department and Instructure, Canvas' parent company.
Instructure confirmed on its website that the compromised user data included "names, email addresses, student ID numbers, and messages among Canvas users."
"We have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved," the statement continued.
The company first issued a notice about the security breach on May 1, and had been working for several days to resolve the problem.
ShinyHunters, a hacker group that has been attributed to several high-profile, corporate data breaches, claimed responsibility for the attack on Instructure, and the Canvas pages for several universities around the country, showed a ransom note on Thursday night that was attributed to the group. The note included a payment deadline of May 12, 2026. The ShinyHunters website provided in that ransom note explained that the group's mission was corporate regime change.
"Once we come to an agreement and finalized (sic), the data is deleted and you will not be listed on this site," the website said. After access to Canvas was restored by Instructure, demands against the group were no longer listed on the ShinyHunters website.
The Eastern Echo sent an inquiry to ShinyHunters through the contact email listed on its website to confirm whether the group had reached a payment deal with Instructure, as well as to inquire about EMU's potential involvement in the hack. A media representative for the group replied that they were "unable to comment at this time regarding this nationwide incident."
Brian Watkins, the senior communications director for Instructure, did not confirm or deny EMU's involvement in the hack or the identity of the hackers. He also did not confirm or deny whether Instructure had worked out a payment agreement with ShinyHunters.
"Yesterday, Instructure discovered the unauthorized actor involved in our ongoing security incident made changes to the pages that appeared when some students and teachers were logged in," a statement provided by Watkins said. "Out of an abundance of caution, we immediately took Canvas offline to contain access and further investigate."
The statement said that the unauthorized actor had exploited a vulnerability in the Free-For-Teacher accounts, which had been temporarily shut down in response.
Staff members at EMU's IT department directed The Echo to the university's communications department, which did not immediately respond to requests for comment.
