Cybercrime group crashes Penn’s Canvas system, demands ransom to prevent data release
This story is developing and will continue to be updated.
Students were unable to access Canvas on Thursday afternoon after cybercrime group ShinyHunters shut down Penn’s access to the interface.
The May 7 data breach comes after ShinyHunters — notorious in the hacking community for large-scale data breaches — claimed responsibility for breaching Instructure, the company that manages Canvas, last week. In the message posted on Penn’s Canvas page, the hackers wrote that any university that does not wish to have its data released should contact the group before May 12.
The disruption to Canvas comes amid the first week of this semester’s Final Examinations period.
A request for comment was left with a University spokesperson.
Get the DP delivered straight to your inbox.
“ShinyHunters has breached Instructure (again),” the warning read. “Instead of contacting us to resolve it they ignored us and did some ‘security patches.’”
In a statement to The Daily Pennsylvanian, the hackers urged impacted schools to “negotiate a settlement.”
“Instructure didn't fix all the vulnerabilities we have more,” the spokesperson added. The warning on Canvas set a deadline for “the end of the day by 12 May 2026” before “everything is leaked.”
At around 4:20 p.m., the ShinyHunters message was replaced by a message from Canvas that stated the platform was undergoing “scheduled maintenance.”
According to a message shared with deans and instructors at 5:19 p.m., Penn is “actively investigating” the breach and is “working with Instructure to restore access to Canvas as soon as possible.”
The email — written by Vice Provost for Undergraduate Education Russell Composto, Vice Provost for Graduate Education Kelly Jordan-Sciutto, and Chief Information Security Officer Nick Falcone — added that “this issue is not limited to Penn and is affecting multiple institutions who use Canvas.”
ShinyHunters previously published a list of the nearly 9,000 institutions affected by the hack — including all eight Ivy League universities.
The May 6 message provided a link outlining resources for instructors on “maintaining continuity during a Canvas disruption.”
“We recognize that this is a significant disruption and will share more information as it becomes available,” Penn’s email continued.
ShinyHunters claimed responsibility for breaching Instructure on May 3, reportedly compromising the data of hundreds of millions of users, including 306,000 Penn affiliates. Included in the information obtained by the hackers are emails, names, Penn ID numbers, and course enrollments.
The DP was able to confirm the group obtained Penn user data after a ShinyHunters member shared a sample of the stolen information, which included Canvas user accounts and internal messages between University students and faculty.
Vice President of Information Technology and Chief Information Officer Joshua Beeman previously wrote in a statement to the DP that Penn’s “Information Security team is collaborating with the affected vendor, industry professionals, and law enforcement to assess any potential impact on Penn.”
The same cybercrime group first targeted Penn in the fall of 2025, when it released thousands of internal files — such as donor records, internal memos, and other confidential University files. The hack became apparent on Oct. 31, 2025, when mass spam emails criticizing the University’s security measures and admissions practices were sent from email addresses affiliated with the Graduate School of Education.
In February, a ShinyHunters spokesperson told the DP that Penn failed to pay a $1 million ransom to prevent the further release of stolen files.
Staff reporter Luke Petersen covers national politics and can be reached at petersen@thedp.com. At Penn, he studies philosophy, politics, and economics. Follow him on X @LukePetersen06.