Cyberattack on Canvas Platform Plunges U.S. Schools into Chaos

A massive cyber extortion campaign targeting the widely used education technology platform Canvas has thrown school districts and universities across the United States into disarray. On May 7, the login page of Canvas was replaced with a ransom demand from the cybercrime group ShinyHunters, threatening to leak data from 275 million students and faculty members at nearly 9,000 educational institutions. The attack forced Instructure, the parent company of Canvas, to take the platform offline, disrupting coursework, assignments, and communications just as many institutions were conducting final exams.

The Attack: ShinyHunters Strikes Again

ShinyHunters, a well-known cybercrime group, claimed responsibility for the breach earlier that week. According to the hackers, they had stolen a massive trove of data, including several billion private messages between students and teachers, names, phone numbers, and email addresses. The group initially set a ransom deadline of May 6, later extended to May 12. On May 7, they followed through on their threat by defacing the Canvas login page with a ransom note, effectively locking out users across thousands of schools, from small districts to large universities.

Cyberattack on Canvas Platform Plunges U.S. Schools into Chaos — Source: krebsonsecurity.com

The attack targeted the very heart of modern education—the digital classroom—and highlighted the vulnerability of cloud-based learning management systems that handle sensitive student and faculty information.

Instructure's Response: From Assurance to Shutdown

Initial Containment Statement

On May 6, Instructure issued a statement acknowledging the data breach. The company said the investigation had revealed that the stolen information consisted of “certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users.” Importantly, Instructure found no evidence that more sensitive data—passwords, dates of birth, government identifiers, or financial information—had been compromised. At that time, they declared the incident contained and noted that Canvas was fully operational.

Defacement and Service Interruption

However, by midday on Thursday, May 7, students and faculty at dozens of schools took to social media to report that a ShinyHunters ransom demand had replaced the familiar Canvas login page. In response, Instructure took the drastic step of pulling Canvas offline entirely. The login portal was replaced with a terse message: “Canvas is currently undergoing scheduled maintenance. Check back soon.” The company’s status page updated with a note that they anticipated being back up soon and would provide updates. But for many affected users, the outage came at the worst possible time.

Timing and Impact: Exam Season Paralysis

While the stolen data may not include the most sensitive personal information (a point of some debate given ShinyHunters' claims), the timing of the attack could hardly have been worse for Instructure and the educational institutions that rely on Canvas. Many schools are in the midst of final exams, and a prolonged service outage could have catastrophic consequences—missed deadlines, lost grades, and disrupted communications between teachers and students. The interruption threatens to delay academic schedules and create administrative chaos.

The ransom message that greeted Canvas users specifically advised affected schools to negotiate their own ransom payments directly with the hackers, regardless of whether Instructure decides to pay the broader ransom. This tactic puts individual institutions in a difficult position, forcing them to consider whether to engage with cybercriminals to protect their data—a move strongly discouraged by cybersecurity experts.

What Data Was Compromised?

Instructure has confirmed that the breach exposed the following information for users at affected institutions:

Names
Email addresses
Student ID numbers
Messages among users (including private conversations)

ShinyHunters claims the stolen data goes further, alleging it includes phone numbers and billions of private messages. However, Instructure maintains that no passwords, dates of birth, government-issued identifiers, or financial information were taken. The company continues to investigate the full scope of the breach.

For a more detailed breakdown of the types of data typically at risk in such attacks, see our guide on common data breach exposures.

Advice for Affected Institutions

Cybersecurity experts recommend that schools and universities affected by the Canvas breach take the following steps immediately:

Do not pay the ransom. Paying encourages further attacks and does not guarantee data will not be leaked.
Notify all students and staff about the breach and provide guidance on monitoring for phishing attempts.
Enable multi-factor authentication on all accounts linked to Canvas and other institutional systems.
Review and update incident response plans to address similar threats in the future.
Cooperate with law enforcement and Instructure’s investigation.

As the situation develops, Instructure has promised to provide regular updates. For now, the education community waits anxiously, hoping for a swift resolution that will minimize disruption to students’ academic progress.

Tags: