An ongoing information extortion assault concentrating on the widely-used schooling expertise platform Canvas disrupted lessons and coursework at college districts and universities throughout the US in the present day, after a cybercrime group defaced the service’s login web page with a ransom demand that threatened to leak information from 275 million college students and school throughout practically 9,000 academic establishments.
A screenshot shared by a reader exhibiting the extortion message that was proven on the Canvas login web page in the present day.
Canvas guardian agency Instructure responded to in the present day’s defacement assaults by disabling the platform, which is utilized by hundreds of faculties, universities and companies to handle coursework and assignments, and to speak with college students.
Instructure acknowledged an information breach earlier this week, after the cybercrime group ShinyHunters claimed accountability and mentioned they’d leak information on tens of thousands and thousands of scholars and school except paid a ransom. The said deadline for cost was initially set at Might 6, but it surely was later pushed again to Might 12.
In a press release on Might 6, Instructure mentioned the investigation to date exhibits the stolen info contains “sure figuring out info of customers at affected establishments, reminiscent of names, e mail addresses, and pupil ID numbers, in addition to as messages amongst customers.” The corporate mentioned it discovered no proof the breached information included extra delicate info, reminiscent of passwords, dates of delivery, authorities identifiers or monetary info.
The Might 6 replace said that Canvas was absolutely operational, and that Instructure was not seeing any ongoing unauthorized exercise on their platform. “At this stage, we imagine the incident has been contained,” Instructure wrote.
Nonetheless, by mid-day on Thursday, Might 7, college students and school at dozens of faculties and universities had been flooding social media websites with feedback saying {that a} ransom demand from ShinyHunters had changed the standard Canvas login web page. Instructure responded by pulling Canvas offline and changing the portal with the message, “Canvas is at the moment present process scheduled upkeep. Examine again quickly.”
“We anticipate being up quickly, and can present updates as quickly as potential,” reads the present message on Instructure’s standing web page.
Whereas the info stolen by ShinyHunters could or could not comprise notably delicate info (ShinyHunters claims it contains a number of billion non-public messages amongst college students and academics, in addition to names, cellphone numbers and e mail addresses), this assault may hardly have come at a worse time for Instructure: Lots of the affected colleges and universities are in the midst of closing exams, and a protracted outage might be extremely damaging for the corporate.
The extortion message that greeted numerous Canvas customers in the present day suggested the affected colleges to barter their very own ransom funds to forestall the publication of their information — no matter whether or not Instructure decides to pay.
“ShinyHunters has breached Instructure (once more),” the extortion message learn. “As an alternative of contacting us to resolve it they ignored us and did some ‘safety patches.’”
A supply near the investigation who was not approved to talk to the press instructed KrebsOnSecurity that numerous universities have already approached the cybercrime group about paying. The identical supply additionally identified that the ShinyHunters information leak weblog now not lists Instructure amongst its present extortion victims, and that the samples of information stolen from Canvas clients had been eliminated as nicely. Knowledge extortion teams like ShinyHunters will sometimes solely take away victims from their leak websites after receiving an extortion cost or after a sufferer agrees to barter.
Dipan Mann, founder and CEO of the safety agency Cloudskope, slammed Instructure for referring to in the present day’s outage as a “scheduled upkeep” occasion on its standing web page. Mann mentioned Shiny Hunters first demonstrated they’d breached Instructure on Might 1, prompting Instructure’s Chief Data Safety Officer Steve Proud to declare the next day that the incident had been contained. However Mann mentioned in the present day’s assault is at the very least the third time previously eight months that Instructure has been breached by ShinyHunters.
In a weblog submit in the present day, Mann famous that in September 2025, ShinyHunters launched hundreds of inner College of Pennsylvania recordsdata — donor data, inner memos, and different confidential supplies — by what the Day by day Pennsylvanian and different shops later decided was, partially, a Canvas/Instructure-mediated entry path.
“Penn was the named sufferer,” Mann wrote. “Instructure was the mechanism. The incident was handled as a Penn-specific story by many of the nationwide press and quietly dealt with by Instructure as a customer-specific matter. That framing was fallacious then. It’s dramatically extra fallacious in mild of the Might 2026 occasions, which now appear to be the deliberate escalation of an assault sample that ShinyHunters had been working in opposition to Instructure’s setting for at the very least eight months prior. The September 2025 Penn breach was the proof of idea. The Might 1, 2026 incident was the manufacturing run. The Might 7, 2026 recompromise was ShinyHunters demonstrating publicly that the Might 2 ‘containment’ didn’t occur.”
In February, a ShinyHunters spokesperson instructed The Day by day Pennsylvanian that Penn didn’t pay a $1 million ransom demand. On March 5, ShinyHunters revealed 461 megabytes value of information stolen from Penn, together with hundreds of recordsdata reminiscent of donor data and inner memos.
ShinyHunters is a prolific and fluid cybercriminal group that makes a speciality of information theft and extortion. They sometimes achieve entry to corporations by voice phishing and social engineering assaults that always contain impersonating IT personnel or different trusted members of a focused group.
Final month, ShinyHunters relieved the house safety big ADT of non-public info on 5.5 million clients. The extortion group instructed BleepingComputer they breached the corporate by compromising an worker’s Okta single sign-on account in a voice phishing assault that enabled entry to ADT’s Salesforce occasion. BleepingComputer says ShinyHunters just lately has taken credit score for numerous extortion assaults in opposition to high-profile organizations, together with Medtronic, Rockstar Video games, McGraw Hill, 7-Eleven and the cruise line operator Carnival.
The assault on Canvas clients is only one of a number of main cybercrime campaigns being launched by ShinyHunters in the mean time, mentioned Charles Carmakal, chief expertise officer on the Google-owned Mandiant Consulting. Carmakal declined to remark particularly on the Canvas breach, however mentioned “there are a number of concurrent and discrete ShinyHunters intrusion and extortion campaigns occurring proper now.”
Cloudskope’s Mann mentioned what occurs subsequent relies upon largely on whether or not Instructure’s clients — the colleges, Ok-12 districts, and schooling ministries paying for Canvas — select to use strain or soak up the breach quietly.
“The historical past of education-vendor incidents suggests the trail of least resistance is the second,” he concluded.
Replace, Might 8, 11:05 a.m. ET: Instructure has revealed an incident replace web page that features extra details about the breach. Instructure mentioned its Canvas portal is functioning usually once more, and that the hackers exploited a difficulty associated to Free-for-Trainer accounts.
“This is similar problem that led to the unauthorized entry the prior week,” Instructure wrote. “Because of this, we have now made the tough resolution to quickly shut down Free-for-Trainer accounts. These accounts have been a core a part of our platform, and we’re dedicated to resolving the problems with these accounts.”
Instructure mentioned affected organizations had been notified on Might 6.
“In case your group is affected, Instructure will contact your group’s main contacts straight,” the replace states. “Please don’t depend on third-party lists or social media posts naming doubtlessly affected organizations as these lists aren’t verified. Instructure will affirm validated info by direct outreach to all affected organizations.”
