Data Still Held for Ransom as Canvas Returns Across the Claremont Colleges

Claremont Colleges students lost access to Canvas, a learning management software used by roughly half of American colleges and universities, for several hours during a nationwide cyberattack targeting the website’s parent company just a few days before finals week. 

The alleged perpetrator, ShinyHunters, is a data theft and extortion group that has been active since 2020. The group has previously been linked to several high-profile breaches, including those involving Ticketmaster and PowerSchool. An initial breach reportedly occurred in late April, but after Instructure, the company that owns and operates Canvas, declined to respond to the group's demands, ShinyHunters defaced login pages and escalated pressure. This prompted the company to temporarily shut the site down on May 7.

Among the roughly 15,000 institutions affected by the data breach are Claremont McKenna College, Claremont Graduate University, and Harvey Mudd College. Students at all seven Claremont Colleges were affected by the shutdown due to their reliance on the software.

Canvas, which is a platform the Claremont Colleges use to manage and access online course materials, assignments, and grades, was down for roughly four hours Thursday afternoon. While the full scope of the breach remains unclear, Instructure has confirmed that names, email addresses, student ID numbers, and private messages between users were taken before the breach was contained.

Claremont McKenna's Chief Information Officer assured students in an email that “Social Security numbers, passwords, or other highly sensitive information are not stored in Canvas.”  Instructure also stated that, based on its investigation to date, “passwords, dates of birth, government identifiers, and financial information do not appear to have been exposed.”  They further noted that "because CMC passwords are not stored in Canvas, there is no risk to the credentials students use to access email and other College resources." Pomona’s Chief Information Officer emailed students around 4:30 p.m., informing them that the College’s legal counsel continues to monitor the situation and remains in contact with the cybersecurity team.

Absent a response from Instructure, ShinyHunters has asked individual institutions to contact them for negotiations. In a statement on Ransomware.live, the group asserted: "The Company seemingly does not care about all the students affected and the institutions impacted by this data breach," and "Not paying will only worsen the situation." 

ShinyHunters has set a deadline of May 12, 2026, after which they threaten to leak the stolen data publicly with no further negotiation opportunities. Canvas came back online around 8 p.m. Thursday, but data from Claremont McKenna, Claremont Graduate University and Harvey Mudd remain under ransom threat. Claremont McKenna later emailed students that the platform was “fully operational and safe to use,” while advising them to report suspicious emails and contact the college if they notice “anything unusual.”