Canvas Cyberattack: Key Questions About the Data Extortion Incident

In a major cybersecurity incident, the widely-used education platform Canvas was disrupted by a data extortion attack orchestrated by the cybercrime group ShinyHunters. The attack defaced the login page with a ransom demand, threatening to leak data from 275 million students and faculty across nearly 9,000 institutions. Canvas parent company Instructure responded by temporarily disabling the platform, which is critical for coursework, assignments, and communication, especially during final exam periods. Below, we answer key questions about the breach, its impact, and what it means for affected schools and universities.

What exactly happened to Canvas?

On May 7, 2025, students and faculty at dozens of schools and universities saw a ransom demand from ShinyHunters replace the usual Canvas login page. The group had previously claimed responsibility for a data breach earlier that week, threatening to release stolen data unless a ransom was paid. In response, Instructure took Canvas offline and replaced the portal with a message stating the platform was undergoing scheduled maintenance. The attack disrupted classes and coursework nationwide, as Canvas is a central tool for managing assignments, grades, and communication. The initial ransom deadline was set for May 6 but was later pushed to May 12. Instructure acknowledged the breach but stated that while stolen data includes names, email addresses, and user messages, there is no evidence of more sensitive information like passwords or financial data being compromised.

Who is behind this attack?

The cybercrime group ShinyHunters has claimed responsibility for the data extortion attack on Canvas. This group is known for targeting educational institutions and tech platforms, often stealing large datasets and demanding ransoms to prevent leaks. In this case, they defaced the Canvas login page with a direct ransom demand and warned that 275 million records—including names, email addresses, phone numbers, and private messages—would be published if their demands were not met. ShinyHunters also suggested that individual schools negotiate their own payments to avoid data exposure. The group initially set a deadline of May 6, but later extended it to May 12, possibly in response to Instructure's containment efforts or to increase pressure.

What kind of data was stolen?

According to Instructure, the stolen information includes certain identifying information such as names, email addresses, and student ID numbers, as well as messages exchanged between users. The company found no evidence that passwords, dates of birth, government identifiers, or financial information were accessed. However, ShinyHunters claims to have several billion private messages among students and teachers, along with phone numbers and email addresses. While the data may not include highly sensitive details like Social Security numbers, the sheer volume and the potential exposure of personal communications could lead to privacy concerns and targeted phishing attacks. The full extent of the breach is still under investigation, and affected institutions are advised to monitor for suspicious activity.

How did Instructure respond to the breach?

Instructure initially acknowledged the breach earlier in the week, stating that the incident was contained and that Canvas was fully operational. However, after the defacement on May 7, the company took the platform offline and replaced it with a scheduled maintenance notice. In a statement, Instructure said, At this stage, we believe the incident has been contained, but the defacement proved otherwise. The company has been working to restore service and provide updates via its status page. The response has been criticized for being slow and for downplaying the severity, especially since the attack occurred during final exams. Instructure has not disclosed whether it paid the ransom or negotiated with ShinyHunters, and it continues to investigate how the breach occurred.

Why is the timing of this attack so critical?

The attack struck during final exam season, a period when Canvas is heavily used for submitting assignments, accessing study materials, and communicating grades. Many schools and universities rely on the platform for end-of-year assessments, and any disruption can delay grading, graduation processing, and student feedback. A prolonged outage could force institutions to revert to paper-based methods or alternative digital tools, causing administrative chaos. For students, missing deadlines or losing access to coursework could impact their final marks. Moreover, the threat of data leaks adds psychological stress. The attack could have long-term reputational damage for Instructure if schools reconsider using Canvas as their primary learning management system.

What should affected schools and universities do now?

Schools and universities affected by the Canvas breach should take several steps: first, communicate transparently with students and faculty about the incident and potential risks. Second, advise users to change passwords on Canvas and any other accounts using the same credentials, even though passwords were not confirmed stolen. Third, monitor for phishing attempts that may exploit stolen emails or messages. Fourth, consider negotiating with ShinyHunters if the institution's specific data is at risk, as the extortion message suggested. However, law enforcement typically advises against paying ransoms as it encourages further attacks. Institutions should also review their cybersecurity protocols and evaluate alternative platforms for continuity. Finally, they should stay updated via Instructure's official channels and report any suspicious activity to authorities.

How widespread is the impact of this breach?

The breach affects approximately 275 million users across nearly 9,000 educational institutions, including K–12 schools, colleges, and universities in the United States. The number may also include some business clients. Given Canvas's dominant market position in the education technology sector, this is one of the largest data extortion incidents targeting a single platform. The reach is vast: students, teachers, administrators, and even parents using Canvas for communication could be impacted. While the exact number of institutions that had data exposed may be smaller, the defacement affected all users trying to log in. The incident has raised widespread concern about the security of educational technology platforms and the vulnerability of student data.