Everything is leaked after May 12 unless you negotiate with us
In the quiet architecture of digital learning, a breach has reminded thousands of institutions — from Singapore to Cambridge — that the platforms holding the rhythms of academic life are also repositories of human identity. The group known as ShinyHunters claimed to have extracted names, emails, student IDs, and internal messages from Canvas, the learning platform used globally, naming Singapore's National University of Singapore among its targets. With a deadline set for May 12, the breach has moved from the technical into the deeply personal, placing students and staff at the center of a negotiation they never agreed to enter. It is a familiar modern parable: the infrastructure we trust most quietly becomes the thing we are most exposed through.
- A cyber-extortion group called ShinyHunters seized identifying data from thousands of universities worldwide — including NUS, Harvard, and Stanford — turning a routine learning platform into a hostage situation.
- The stolen data — names, email addresses, student IDs, and private messages — stops short of passwords or financial records, but is personal enough to be weaponized for targeted fraud or harassment.
- A May 12 deadline hangs over affected institutions, with ShinyHunters threatening to release everything publicly if ransom negotiations are not initiated, forcing rapid decisions under pressure.
- Canvas operator Instructure has restored full service and reports no ongoing unauthorized access, but the technical recovery offers little comfort to those whose identities are already in unknown hands.
- Singapore's three named institutions — NUS, the Singapore College of Insurance, and the Institute of Singapore Chartered Accountants — face the harder, slower work of responding to their communities while the clock runs down.
On May 7, thousands of universities worldwide discovered they had been caught in a sweeping breach of Canvas, the learning management platform that underpins modern academic life. Among them were three Singapore institutions: the National University of Singapore, the Singapore College of Insurance, and the Institute of Singapore Chartered Accountants. The group behind the attack, ShinyHunters — a cyber-extortion outfit active since at least 2019 — posted publicly on Reddit claiming responsibility and setting terms.
What had been taken was significant: names, email addresses, student ID numbers, and messages exchanged within the platform. The breadth of the breach was underscored by the presence of Harvard and Stanford on the same list. ShinyHunters gave institutions until May 12 to negotiate privately, warning that after that date, all stolen data would be released publicly.
Instructure, Canvas's American parent company, had acknowledged the attack as early as May 2, offering careful reassurance about what had not been compromised — passwords, dates of birth, government IDs, and financial information all appeared safe. By May 6, the platform was fully restored and no ongoing unauthorized access had been detected. The operational crisis had passed.
But for the Singapore institutions named on ShinyHunters' list, a quieter and more personal crisis remained. Their students and staff had been catalogued and were now leverage. The Straits Times sought comment from all three institutions as the deadline approached — and for those whose information had been taken, the breach had long since ceased to be abstract.
On May 7, thousands of universities worldwide woke to find themselves locked out of Canvas, the learning platform that has become essential infrastructure for modern education. Among them were three Singapore institutions: the National University of Singapore, the Singapore College of Insurance, and the Institute of Singapore Chartered Accountants. The breach was not a quiet one. Within hours, a group calling itself ShinyHunters—a cyber-extortion outfit that has operated since at least 2019—posted a message on Reddit claiming responsibility and making a demand.
The group had stolen identifying information from the affected institutions, they said. Names. Email addresses. Student ID numbers. Messages between users. The list of compromised schools was extensive enough to include Harvard and Stanford, suggesting the scale of what had been taken. ShinyHunters gave the institutions until May 12 to negotiate what amounted to a ransom payment, warning that after that date, "everything is leaked." The message included a link to the full roster of breached schools and instructions for how institutions could contact the group privately to discuss terms.
Instructure, the American company that owns and operates Canvas, had already acknowledged the attack on May 2. In a statement, the company provided some reassurance about what had not been compromised: passwords remained secure, dates of birth had not been accessed, government identification numbers were safe, and financial information appeared untouched. What was taken—names, emails, student identifiers, and internal messages—was serious enough, but the company's careful enumeration of what was not stolen suggested an attempt to contain the damage and prevent panic.
By May 6, Instructure reported that Canvas was fully operational again. The company said it had found no evidence of ongoing unauthorized access to the system. The immediate crisis of service disruption had passed. But for the three Singapore institutions now named on ShinyHunters' list, a different kind of crisis remained. Their students and staff had been identified, catalogued, and were now leverage in a negotiation they had not chosen to enter.
The Straits Times reached out to all three institutions for comment, seeking to understand what they knew about the breach and what steps they were taking in response. The deadline ticking toward May 12 meant that decisions about how to respond—whether to negotiate, whether to go public, whether to wait and see if the group would follow through on its threat—had to be made quickly. For the students and employees whose information had been taken, the breach was no longer theoretical. It was personal.
Citações Notáveis
If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber-advisory firm and contact us privately to negotiate a settlement.— ShinyHunters, in a message posted on Reddit
We have found no evidence that passwords, dates of birth, government identifiers or financial information were involved.— Instructure, the company behind Canvas
A Conversa do Hearth Outra perspectiva sobre a história
Why does it matter that this group specifically named these three Singapore institutions? They could have just kept the data.
Because naming them is the threat. The group is saying: we have your data, we know who you are, and we're giving you a choice—pay us or we publish it. The naming is the extortion mechanism.
What kind of information did they actually get?
Names, email addresses, student ID numbers, and messages between users. Not passwords, not financial data. But that's enough to identify people, to contact them, to know who studied what and who talked to whom.
Why would a university pay a ransom for that?
Because the alternative is having that information released publicly. For a student, that could mean their identity is tied to their academic record online forever. For staff, it's exposure. For the institution, it's a breach of trust with thousands of people.
Did the hackers actually have leverage, or were they bluffing?
They had already proven they could access the system. They had the data. Whether they'd actually release it is another question, but the institutions couldn't afford to assume they were bluffing.
What does it say that this group has been operating since 2019?
It says they've survived, which means they've been successful enough to keep going. They know how to operate, how to extract value, how to stay ahead of law enforcement. This isn't their first time.
What happens after May 12?
That's the unknown. Either the institutions negotiate and pay, or the group releases the data, or something else happens entirely. But the deadline is real, and it's approaching.