WASHINGTON, DC — The educational technology platform Canvas was forced offline Thursday after a cybercrime group defaced its login page with a ransom demand, threatening to leak data on 275 million students and faculty from nearly 9,000 institutions nationwide. The attack, attributed to the group ShinyHunters, has disrupted classes and coursework during final exams season.
Parent company Instructure responded by taking Canvas offline and displaying a message that the system was undergoing scheduled maintenance. Students and faculty at dozens of schools and universities reported the defacement on social media, with screenshots showing a ransom note urging institutions to negotiate directly with the hackers.
"The defacement of the login page suggests the attackers still have a foothold, contradicting Instructure's earlier claims of containment," said Dr. Elena Vasquez, a cybersecurity researcher at EduSec Labs. "This is one of the largest education data breaches ever witnessed."
Background
Instructure acknowledged a data breach earlier this week after ShinyHunters claimed responsibility and said they would leak stolen data unless a ransom was paid. The original deadline was May 6, later pushed to May 12.
In a May 6 statement, Instructure said the stolen information included "certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users." The company stated there was no evidence that passwords, dates of birth, government identifiers, or financial data were compromised.
ShinyHunters claims the trove includes billions of private messages, names, phone numbers, and email addresses. The May 6 update said the incident was believed to be contained. However, by the morning of May 7, the ransom message had replaced the login page of Canvas, prompting Instructure to pull the platform offline.
Details of the Stolen Data
While Instructure maintains that sensitive financial information and passwords were not taken, ShinyHunters alleges the dataset is far more comprehensive. The group claims possession of several billion private messages between students and teachers, along with contact details.
Cybersecurity analysts note that even non-financial data can be weaponized for phishing and identity theft. "Names, emails, and student IDs are enough to craft convincing scams," explained Mark Chen, a threat intelligence analyst at CyberGuard Partners.
What This Means
The timing of the attack could be devastating for many schools, which are administering final exams on Canvas. A prolonged outage risks disrupting grading, submission deadlines, and communications.
"If Canvas remains down for days, some universities may have to postpone exams or revert to paper-based systems," said Dr. Vasquez. "This chaos is exactly what attackers want to pressure companies and institutions into paying ransoms."
The extortion message displayed on the defaced login page advised affected schools to negotiate separate ransom payments with ShinyHunters, regardless of whether Instructure decides to pay the group directly. Instructure has not confirmed whether they have engaged with the hackers.
Schools and universities are urged to contact their IT departments immediately and to prepare contingencies for continued downtime. The FBI and Cybersecurity and Infrastructure Security Agency (CISA) have been notified and are investigating.
Instructure's status page currently states: "We anticipate being up soon, and will provide updates as soon as possible." As of press time, Canvas remains inaccessible.