After a security breach derailed access to the Canvas educational service across the U.S., the site was restored near the end of the day Thursday, May 7, 2026, according to alerts published by Eastern Michigan University's IT department and Instructure, Canvas' parent company.
Instructure confirmed on its website that the compromised user data included "names, email addresses, student ID numbers, and messages among Canvas users."
"We have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved," the statement continued.
The company first issued a notice about the security breach May 1, and had been working for several days to resolve the problem.
Melissa Thrasher, an executive director in EMU’s communications department, told The Echo in an email May 8, 2026, that the university was confirmed by Instructure on May 1 as one of the impacted universities. She said that there was “no evidence of ongoing unauthorized access to EMU systems” and confirmed that the same data types listed by Instructure may have leaked from EMU’s Canvas data.
“At this time, Instructure has not recommended any specific action for users beyond standard cybersecurity best practices,” Thrasher wrote.
ShinyHunters, a hacker group that has been attributed to several high-profile, corporate data breaches, claimed responsibility for the attack on Instructure, and the Canvas pages for several universities around the country, showed a ransom note Thursday night that was attributed to the group. The note included a payment deadline of May 12, 2026. The ShinyHunters website provided in that ransom note explained that the group's mission was corporate regime change.
"Once we come to an agreement and finalized, the data is deleted and you will not be listed on this site," the website said. After access to Canvas was restored by Instructure, demands against the group were no longer listed on the ShinyHunters website.
The Eastern Echo sent an inquiry to ShinyHunters through the contact email listed on its website to confirm whether the group had reached a payment deal with Instructure, as well as to inquire if EMU was one of the schools affected in the data breach. A media representative for the group replied that they were "unable to comment at this time regarding this nationwide incident."
Brian Watkins, the senior communications director for Instructure, did not confirm or deny whether Instructure had worked out a payment agreement with ShinyHunters.
"Yesterday, Instructure discovered the unauthorized actor involved in our ongoing security incident made changes to the pages that appeared when some students and teachers were logged in," a statement provided by Watkins said. "Out of an abundance of caution, we immediately took Canvas offline to contain access and further investigate."
The statement said that the unauthorized actor had exploited a vulnerability in the Free-For-Teacher accounts, which had been temporarily shut down in response.
“EMU’s Division of Information Technology is actively monitoring the situation and remains in direct communication with Instructure,” Thrasher’s statement said. “We will provide updates to our campus community as new, verified information becomes available.”
