Canvas Breach Disrupts Classes for 275 Million Students Nationwide
A significant data extortion attack on the widely-used education technology platform Canvas has disrupted classes and coursework at numerous school districts and universities across the United States. The cybercrime group ShinyHunters defaced the service’s login page with a ransom demand, threatening to leak sensitive data from approximately 275 million students and faculty members across nearly 9,000 educational institutions.
Immediate Impact on Educational Institutions
In response to the attack, Instructure, the parent company of Canvas, disabled the platform, which serves thousands of schools, universities, and businesses for managing coursework and communication with students. This disruption comes at a critical time, as many institutions are in the midst of final exams, raising concerns about the potential long-term impact on academic schedules and student performance.
Earlier this week, Instructure acknowledged a data breach after ShinyHunters claimed responsibility, stating they would leak data unless a ransom was paid. The initial deadline for payment was set for May 6 but was later extended to May 12.
In a statement released on May 6, Instructure indicated that the investigation revealed the stolen information included identifying details of users at affected institutions, such as names, email addresses, and student ID numbers, along with messages exchanged among users. The company asserted that there was no evidence suggesting the breach included more sensitive data like passwords, dates of birth, government identifiers, or financial information.
Escalation of the Attack
Despite Instructure’s assurances of containment, by midday on May 7, numerous students and faculty reported on social media that the usual Canvas login page had been replaced by ShinyHunters’ ransom demand. Instructure responded by taking Canvas offline and displaying a message indicating that the platform was undergoing scheduled maintenance.
The extortion message advised affected institutions to negotiate their own ransom payments to prevent the publication of their data, irrespective of Instructure’s actions. The message read, “ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it, they ignored us and did some ‘security patches.'”
A source close to the investigation revealed that several universities had already approached ShinyHunters regarding ransom payments. This source also noted that the ShinyHunters data leak blog no longer listed Instructure among its current extortion victims, indicating that the group typically removes victims from their sites only after receiving payment or agreeing to negotiate.
Criticism of Instructure’s Response
Dipan Mann, founder and CEO of the security firm Cloudskope, criticized Instructure for labeling the outage as a “scheduled maintenance” event. Mann highlighted that ShinyHunters first demonstrated a breach of Instructure on May 1, leading to claims from Instructure’s Chief Information Security Officer Steve Proud that the incident had been contained. Mann pointed out that this latest attack marks at least the third breach by ShinyHunters in the past eight months.
In a blog post, Mann referred to a previous incident in September 2025, where ShinyHunters released thousands of internal files from the University of Pennsylvania. He noted that the breach was partly facilitated through Canvas, suggesting that Instructure’s vulnerabilities had been exploited repeatedly.
Broader Context of Cybercrime
ShinyHunters is known for its aggressive tactics in data theft and extortion, often gaining access to organizations through voice phishing and social engineering attacks. Last month, the group compromised the home security giant ADT, obtaining personal information from 5.5 million customers. They have also claimed responsibility for extortion attacks against various high-profile organizations, including Medtronic and Rockstar Games.
The attack on Canvas is part of a broader trend of escalating cybercrime campaigns. Charles Carmakal, Chief Technology Officer at Mandiant Consulting, noted that multiple concurrent ShinyHunters intrusion and extortion campaigns are currently underway.
Future Implications for Educational Institutions
The outcome of this incident will largely depend on how Instructure’s customers—universities, K-12 districts, and educational ministries—choose to react. Mann suggested that the history of incidents involving education vendors indicates that the path of least resistance may be to absorb the breach quietly rather than applying pressure for accountability.
On May 8, Instructure published an incident update indicating that the Canvas portal was functioning normally again. The company stated that the hackers exploited an issue related to Free-for-Teacher accounts, leading to the difficult decision to temporarily shut down these accounts. Affected organizations were notified on May 6, with Instructure emphasizing that they would directly contact primary contacts at affected institutions.
As educational institutions navigate this crisis, the implications of the breach extend beyond immediate operational disruptions. The incident raises critical questions about data security in educational technology and the responsibilities of vendors to protect sensitive information.
For further details on the breach, refer to the original reporting source: krebsonsecurity.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
