Ransomware Attack Paralyzes Canvas Platform as ShinyHunters Leaks Threat Looms Over 9,000 Schools

Breaking News — A coordinated data extortion attack on Instructure’s Canvas learning management system has forced the platform offline, disrupting final exams and coursework for millions of students and faculty across nearly 9,000 U.S. educational institutions. The cybercrime group ShinyHunters defaced the login page Thursday with a ransom demand, threatening to publish 275 million user records unless paid by a revised deadline of May 12.

Instructure confirmed the defacement and took Canvas down, replacing the login portal with a message stating “scheduled maintenance.” The company had previously acknowledged a data breach on May 6, but the latest incident amplifies concerns about the safety of student data and academic continuity.

Attack Details

ShinyHunters claimed responsibility for the breach and subsequent defacement. The group’s extortion note, seen by KrebsOnSecurity, advises affected schools to negotiate separate ransom payments to prevent data publication, regardless of whether Instructure pays.

“This is a classic double-extortion play,” said Dr. Emily Tran, a cybersecurity analyst at SecurEd. “Even if Instructure pays, schools may face individual demands because the attackers have granular data per institution.”

Impact on Education

The outage struck at the worst possible time: many universities and school districts are in the middle of final exams. Students reported being locked out of assignments, grade portals, and communication channels. Social media flooded with complaints from dozens of affected institutions.

“Students are panicking because they can’t submit papers or check final grades,” said Marcus Reed, a student at a large midwestern university. “Professors are scrambling to find workarounds.”

Background

Canvas, developed by Instructure, is the dominant learning management system in K-12 and higher education, serving over 30 million users globally. The platform manages coursework, grades, and messaging. ShinyHunters is a known ransomware group that has previously targeted other edtech firms.

On May 6, Instructure disclosed that stolen data includes “certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users.” The company says it found no evidence of compromised passwords, dates of birth, government IDs, or financial data.

“We believe the incident has been contained,” Instructure stated on May 6. But Thursday’s defacement suggests otherwise, as the group regained access or used previously planted code to alter the login page.

What This Means

This incident exposes the fragility of centralized educational technology. A single platform’s failure can paralyze entire school systems. The breach may spark renewed calls for stronger cybersecurity standards in edtech and push institutions to diversify their digital tools.

“Schools must treat edtech vendors as critical infrastructure,” said Tran. “They need contractual guarantees for cybersecurity audits, incident response plans, and backup systems to ensure learning continues during an attack.”

Instructure faces reputational and financial damage. While they insist sensitive financial data wasn’t stolen, the theft of private student communications could lead to privacy lawsuits. The company has not disclosed whether it will pay the ransom.

Instructure’s Response

Instructure’s status page currently displays: “Canvas is currently undergoing scheduled maintenance. Check back soon.” The company says it is working to restore service and will provide updates. No timeline has been given.

“We anticipate being up soon,” reads the message. But as of late evening, the platform remained offline, and the defacement message was still visible on cached pages.

What Users Should Do

Students and faculty should monitor official communications from their school’s IT department. Do not attempt to access Canvas via third-party links. If you have used Canvas recently, change your password for that account and any other services that share the same credentials.

Schools should prepare for possible data leaks by alerting users and offering credit monitoring. ShinyHunters has a history of following through on threats to publish stolen data.

Update: This is a developing story. Check back for updates on service restoration and any ransom payment announcements.