Canvas Platform Hit by ShinyHunters Ransom Attack, Disrupting U.S. Schools and Universities

The widely used education technology platform Canvas, operated by Instructure [NYSE:INST], was disrupted today following a data extortion attack by the cybercrime group ShinyHunters. The attackers defaced the Canvas login page with a ransom demand threatening to leak data from 275 million students and faculty across nearly 9,000 educational institutions.

A screenshot shared by a reader showed the extortion message displayed on the Canvas login page. In response, Instructure disabled the platform, which serves thousands of schools, universities, and businesses for managing coursework, assignments, and student communication.

Instructure acknowledged a data breach earlier this week, after ShinyHunters claimed responsibility and demanded a ransom. The initial payment deadline was set for May 6 but was later extended to May 12.

In a May 6 statement, Instructure said the investigation revealed the stolen data included “certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users.” The company confirmed it found no evidence of more sensitive data, including passwords, dates of birth, government identifiers, or financial information.

The May 6 update also stated that Canvas was fully operational and that Instructure had not detected any ongoing unauthorized activity. “At this stage, we believe the incident has been contained,” the company wrote.

However, by mid-day on Thursday, May 7, students and faculty at dozens of schools and universities reported that the ShinyHunters ransom demand had replaced the Canvas login page. Instructure responded by taking Canvas offline and displaying a maintenance message: “Canvas is currently undergoing scheduled maintenance. Check back soon.”

Instructure’s status page currently reads: “We anticipate being up soon, and will provide updates as soon as possible.”

While the stolen data may not contain highly sensitive information, ShinyHunters claims it includes several billion private messages among students and teachers, along with names, phone numbers, and email addresses. The timing of the attack is particularly damaging, as many affected schools are in the midst of final exams, and a prolonged outage could have severe consequences for Instructure.

The extortion message advised affected schools to negotiate their own ransom payments to prevent data publication, regardless of Instructure’s decision. It read:

“ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some ‘security patches.’”

A source close to the investigation, who requested anonymity, told KrebsOnSecurity that a number of universities have already approached the cybercrime group to discuss ransom payments.