Canvas Cyberattack: ShinyHunters Threatens Data Leak as Extortion Deadline Nears

Canvas Cyberattack: ShinyHunters Threatens Massive Data Leak

Pressure is mounting on Instructure, the company behind the widely used education platform Canvas, as cybercriminals affiliated with ShinyHunters threaten to leak a trove of sensitive data allegedly stolen during a prolonged cyberattack. The attack has left schools, students, and teachers unable to access critical systems, raising concerns across the education sector.

Widespread Outages and Platform Disruptions

Late last week, Instructure took Canvas offline following additional malicious activity, including the defacement of the platform’s login page. By Friday, the company confirmed that Canvas—a central hub for K-12 and university coursework, exams, grades, and communication—was restored and fully operational.

ShinyHunters Claims Responsibility and Demands Ransom

ShinyHunters, a decentralized cybercriminal group affiliated with The Com, claimed responsibility for the attack on its data leak site. The group initially set a deadline of May 6—four days after Instructure disclosed the incident—to extort the company for an undisclosed ransom amount. When the deadline passed without payment, ShinyHunters escalated its tactics by injecting an extortion message directly into the Canvas login pages of roughly 330 institutions and shifted to a school-by-school extortion campaign with a new deadline of May 12.

"The scope makes this one of the largest single education-sector exposures we’ve tracked." — Cynthia Kaiser, Senior Vice President of Halcyon’s Ransomware Research Center

Data Breach Confirmed: What Was Exposed?

Instructure CEO Steve Daly acknowledged in a statement that the attack, which remains under investigation with the assistance of CrowdStrike, exposed usernames, email addresses, course names, enrollment information, and messages. Daly emphasized that course content, submissions, and credentials were not compromised.

Instructure Apologizes for Poor Communication

In the wake of the attack, Daly issued an apology for Instructure’s inconsistent communication and deficient public response. He stated:

"Over the past few days, many of you dealt with real disruption. Stress on your teams. Missed moments in the classroom. Questions you couldn’t get answered. You deserved more consistent communication from us, and we didn’t deliver it. I’m sorry for that."

Federal Scrutiny and Congressional Response

The cyberattack has drawn the attention of lawmakers on Capitol Hill. The House Homeland Security Committee published a letter to Daly on Monday, demanding a briefing with him or a senior leader at Instructure by May 21. The letter, authored by Chairman Andrew Garbarino (R-N.Y.), raised concerns about the company’s incident response capabilities and its obligations to the institutions and individuals whose data it holds.

The committee’s letter states:

"The recurrence of an intrusion within days of an initial breach disclosure, and Instructure’s apparent failure to fully remediate the underlying vulnerabilities during that window, raise serious questions about the company’s incident response capabilities and its obligations to the institutions and individuals whose data it holds."

Scale of the Breach: 3.65TB of Data Allegedly Stolen

ShinyHunters claims to have stolen 3.65 terabytes of data spanning 275 million records across 8,809 school systems. The group’s escalating tactics—including direct extortion messages on login pages—have intensified pressure on Instructure to respond.

Ongoing Investigation and Sector-Wide Concerns

The attack has spurred broad concern across the education sector, with ransomware experts and threat hunters closely monitoring developments. Instructure has not confirmed the existence of a ransom demand and declined to answer questions about its response.