Canvas Breach and Ransom Demands Disrupt U.S. Schools During Finals
Instructure pulled its education platform offline after hackers defaced login pages with ransom demands targeting data from 275 million students and faculty.
Primary source: Krebs on Security. Full source links and update notes are below.
Fast summary
Start here
- Cybercrime group ShinyHunters defaced the Canvas login page on Thursday with a ransom demand after a previous breach was reported.
- Instructure took the platform offline, citing "scheduled maintenance" despite the ongoing extortion attempt.
- The breach affects approximately 9,000 educational institutions and involves student IDs, emails, and private messages.
What happened
Canvas, the widely used educational management platform, was taken offline Thursday following a targeted data extortion attack. The parent company, Instructure, disabled the service after the cybercrime group ShinyHunters defaced the login portal with a message threatening to leak the data of 275 million students and faculty across nearly 9,000 institutions.
What's new in this update
On Thursday, May 7, the incident escalated as hackers bypassed Instructure's initial security measures to replace the standard login page with a direct ransom note. Instructure responded by pulling the platform offline and displaying a "scheduled maintenance" message on its status page. This move has been criticized by security experts who argue the company is downplaying an active cyberattack.
Key details
The attackers claim to possess billions of private messages between students and teachers, alongside names, phone numbers, and email addresses. Instructure had previously confirmed on May 6 that identifying information like student IDs and emails had been stolen, though it found no evidence that passwords, government identifiers, or financial information were compromised. Recent reports suggest some universities may already be in negotiations with the group.
Background and context
ShinyHunters first demonstrated access to Instructure's systems on May 1. While the company initially claimed the incident was contained and that the platform was fully operational by May 6, the subsequent login page defacement proved the threat actors still held leverage. The attack comes at a critical time as many U.S. school districts and universities are currently managing end-of-year coursework and final exams.
What to watch next
Observers are watching for how many individual institutions will approach the cybercrime group directly, as the extortionists encouraged schools to settle their own ransom payments regardless of Instructure's corporate response. Additionally, the removal of Instructure from the ShinyHunters leak blog suggests that a payment may have already been made or that active negotiations are occurring.
Why it matters
The outage occurs during peak final exam periods for many universities, potentially impacting millions of students and forcing institutions to decide whether to negotiate directly with cybercriminals.
Read next
Follow this story through the topic hub, more security coverage, and the latest updates.
Weekly briefing
Get the week's key developments in one concise email.
Get a fast catch-up on the biggest stories, the context behind them, and the links worth your time.
Cadence
Weekly, for a quick catch-up
Coverage
AI, business, world, security, sports
Format
Clear takeaways and useful context
Request the briefing
Leave your email to open a prepared request and get on the list for the weekly briefing.
Author
See who assembled this story and follow more of their work.
Sources and methodology