A massive Canvas cyberattack has thrown students and educators into chaos, disabling the popular learning platform during the crucial final exam season. The cybercrime group known as ShinyHunters has claimed responsibility for hacking Instructure, the parent company of Canvas, exposing the personal information of hundreds of millions of users. The breach forced the platform offline for several hours on Thursday, locking panicked students out of their exams and assignments.
The Canvas cyberattack potentially impacts more than 275 million individuals across nearly 9,000 educational institutions worldwide. Hackers claim to have stolen approximately 3.65 terabytes of data, demanding a financial settlement by May 12, 2026. If their demands are not met, the extortionists threaten to release billions of private messages exchanged between students and teachers.
Hackers Deface University Login Pages
Before the massive outage on Thursday, Instructure had already detected unauthorized activity. The company first disclosed on May 1 that it was dealing with a cybersecurity incident perpetrated by a criminal threat actor, which had begun around April 29. At the time, Steve Proud, Instructure’s chief information security officer, stated that the breach was contained as of May 2.
The situation escalated significantly on Thursday when students attempting to log in were met with an extortion message directly on their screens. ShinyHunters successfully injected an HTML file into the Canvas portals of several schools, publicly demanding that the institutions consult with cybersecurity firms and negotiate a settlement. The criminal group claimed this latest defacement was a second, separate breach, mocking Instructure for merely applying security patches instead of cooperating.
Following the defacement, Instructure temporarily pulled Canvas offline for emergency maintenance. A spokesperson for Instructure explained that the unauthorized actors exploited a vulnerability linked to the platform’s Free-For-Teacher accounts. To contain the access and restore system stability, the company made the decision to temporarily shut down those specific accounts. By Thursday night, Canvas was restored and fully operational for the majority of users.
Finals Week Chaos Sweeps Campuses
The timing of the outage could not have been worse for the educational community. With most universities wrapping up the academic year, the sudden disruption triggered widespread panic among students preparing for finals. Social media platforms quickly flooded with reports of connectivity issues, login failures, and fears over missed submission deadlines.
Students reported being locked out of active exams, while others found that third-party access codes for digital proctoring services were no longer functioning. Website outage monitors showed massive spikes in error reports across North America as the system went dark.
The outage and subsequent data breach affected a massive roster of prominent institutions. Eight Ivy League schools, including Harvard University and the University of Pennsylvania, reported disruptions. Other major institutions caught in the fallout included Duke University, UCLA, the University of Michigan, the University of Nebraska, and the University of Miami. Canadian institutions like the University of British Columbia also warned students about potential phishing threats tied to the incident.
What Student Data Was Exposed?
While the platform is back online, concerns regarding student privacy remain high. Instructure’s initial investigation revealed that the attackers successfully accessed a wide range of personal identifying information. The compromised data includes full names, personal email addresses, student identification numbers, and course enrollment details. Most alarmingly, the hackers obtained access to internal communications, meaning private messages between students and faculty are currently in the hands of cybercriminals.
However, the company reported some positive news regarding the scope of the data theft. According to current investigations by Instructure, passwords, dates of birth, financial information, and government identifiers remain secure.
A Looming Extortion Deadline
The education sector is now bracing for the group’s May 12 deadline. ShinyHunters, a financially motivated extortion gang believed to have formed around 2020, has a history of targeting major corporations, including AT&T, Microsoft, and Ticketmaster. Recently, the group has pivoted to the education sector, launching attacks against companies like McGraw-Hill and Infinite Campus.
As the deadline approaches, the hackers are pressuring both Instructure and individual school districts to pay up. The criminal extortion gang originally published their ransom note on a dark web leak site on May 3, which was monitored and shared by cybersecurity trackers at Ransomware. live. Forensics experts enlisted by Instructure continue to investigate the full scope of the breach, but for millions of students, the damage to their privacy and their academic schedules has already been done.
