Students at the University of Pennsylvania were left locked out of their primary learning management system on Thursday afternoon, as the notorious cybercrime collective ShinyHunters disabled the university’s access to Canvas. The disruption, which hit during the high-stakes first week of the semester’s final examination period, is the latest escalation in a protracted digital conflict between the hacking group and the Ivy League institution.
The outage follows a larger-scale breach of Instructure, the company that develops and manages Canvas, which ShinyHunters claims to have compromised on May 3. In a message posted directly to Penn’s Canvas landing page before the system was taken offline, the hackers demanded that affected universities “negotiate a settlement” to prevent the public release of stolen data. The group set a deadline of May 12, 2026, for institutions to make contact.
The breach is not isolated to Philadelphia. ShinyHunters has published a list suggesting that nearly 9,000 institutions worldwide have been impacted, including all eight Ivy League universities. For Penn, the stakes are particularly high: the group claims to have compromised the data of approximately 306,000 university affiliates, including names, emails, Penn ID numbers and course enrollment details.
University officials have confirmed they are investigating the incident and coordinating with the vendor and law enforcement. Vice President of Information Technology and Chief Information Officer Joshua Beeman stated that the university’s information security team is collaborating with industry professionals to assess the full impact of the leak.
A Calculated Disruption During Finals
The timing of the outage created immediate chaos for students and faculty already under the pressure of finals week. At approximately 4:20 p.m. Thursday, the hackers’ ransom note was replaced by a generic Canvas notification stating the platform was undergoing “scheduled maintenance.” However, internal communications soon revealed a more complex reality.
An email sent at 5:19 p.m. To deans and instructors—authored by Vice Provosts Russell Composto and Kelly Jordan-Sciutto, alongside Chief Information Security Officer Nick Falcone—clarified that the university was “actively investigating” the breach. The administration acknowledged the “significant disruption” and urged instructors to utilize provided resources to maintain academic continuity while access was restored.
The breach appears to be a targeted strike against Instructure’s infrastructure rather than a direct hit on Penn’s own internal servers. In a statement provided to The Daily Pennsylvanian, a spokesperson for ShinyHunters claimed that the company had ignored previous warnings and attempted to hide vulnerabilities with superficial “security patches.”
“ShinyHunters has breached Instructure (again),” the warning read. “Instead of contacting us to resolve it they ignored us and did some ‘security patches.’ Instructure didn’t fix all the vulnerabilities we have more.”
Verification of Stolen Data
While universities often treat breach claims with skepticism until evidence is presented, the threat in this instance has been substantiated. A member of ShinyHunters shared a sample of the stolen data, which included verified Canvas user accounts and internal messages exchanged between students and faculty. This confirms that the attackers had access not only to administrative metadata but to the private communications occurring within the educational platform.
The scope of the data theft represents a significant privacy failure for the hundreds of thousands of affiliates affected. The combination of Penn ID numbers and course enrollments provides a detailed map of student and faculty activity, which can be leveraged for highly targeted phishing attacks or identity theft.
| Event Date | Incident Detail | Impact/Outcome |
|---|---|---|
| Fall 2025 | Initial ShinyHunters breach of Penn | Leak of donor records and internal memos |
| Oct 31, 2025 | Mass spam campaign | Emails sent via Graduate School of Education |
| February 2026 | Ransom demand | Penn declined to pay $1 million settlement |
| May 3, 2026 | Instructure breach | Data of millions of Canvas users compromised |
| May 7, 2026 | Canvas outage at Penn | Access shut down during finals week |
A Pattern of Escalation
This is not the first time Penn has found itself in the crosshairs of ShinyHunters. The group first targeted the university in the fall of 2025, releasing thousands of confidential files, including sensitive donor records and internal memos. That campaign culminated on October 31, 2025, when the group hijacked email addresses affiliated with the Graduate School of Education to blast spam emails criticizing the university’s admissions practices and security posture.
The current crisis appears to be a retaliatory move. In February, a spokesperson for the hacking group informed the student press that Penn had refused to pay a $1 million ransom intended to prevent the further release of files stolen during the 2025 attack. By targeting the university’s primary academic tool during the most critical week of the semester, ShinyHunters is leveraging academic instability as a bargaining chip.
The broader implications for higher education are concerning. With nearly 9,000 institutions potentially affected, the breach highlights a systemic vulnerability in the “single-vendor” model, where thousands of universities rely on a single third-party provider like Instructure for their core operational needs. A single point of failure at the vendor level can effectively paralyze the academic functions of the entire Ivy League and beyond.
The university continues to work with law enforcement and Instructure to restore full service. The next critical checkpoint will be May 12, the deadline set by ShinyHunters for institutions to negotiate a settlement before the group threatens to leak the remaining compromised data.
Do you have information regarding this breach or are you an affected student? Share your experience in the comments or contact our newsroom.
