Canvas cyberattack forces widespread shutdown across U.S. schools

A major cyber extortion incident against the education platform Canvas triggered widespread outages on Thursday, disrupting coursework and exams for students and faculty across thousands of U.S. schools and universities. The attack, carried out by the cybercrime group ShinyHunters, replaced the platform’s login page with a ransom note threatening to leak data allegedly stolen from 275 million users.

Platform taken offline after defacement

Canvas’ parent company, Instructure, disabled the platform shortly after the defacement appeared, replacing the login portal with a generic “scheduled maintenance” message. The shutdown affected nearly 9,000 educational institutions, many of which are currently in the middle of final exams.

Instructure had already acknowledged a breach earlier in the week, confirming that attackers accessed user names, email addresses, student ID numbers, and internal messages. The company said it found no evidence that passwords, government IDs, or financial data were taken.

Ransom deadline extended

ShinyHunters initially demanded payment by May 6, later extending the deadline to May 12. The group claimed it would leak billions of private messages and other personal data if institutions did not pay. The ransom note urged individual schools to negotiate directly, regardless of Instructure’s response.

A source close to the investigation told KrebsOnSecurity that several universities have already contacted the attackers. Notably, ShinyHunters removed Instructure from its leak site — a step typically taken only after negotiations begin or a payment is made.

A pattern of repeated breaches

Security experts criticized Instructure’s handling of the incident. Dipan Mann, CEO of Cloudskope, argued that calling the outage “scheduled maintenance” was misleading and noted that this marks at least the third ShinyHunters breach of Instructure in eight months.

Mann pointed to a September 2025 breach at the University of Pennsylvania, where thousands of internal files were leaked through what investigators later linked to Canvas-related access. He described that earlier incident as a “proof of concept” leading to the current escalation.

ShinyHunters’ expanding campaign

ShinyHunters has recently claimed responsibility for attacks on major companies including ADT, Medtronic, Rockstar Games, McGraw Hill, 7‑Eleven, and Carnival Cruise Line. The group often gains access through voice‑phishing schemes that impersonate IT staff to steal login credentials.

Security analysts at Mandiant say the Canvas breach is just one of several simultaneous ShinyHunters operations currently underway.

What comes next

According to Cloudskope, the fallout now depends on how Canvas’ customers respond. Universities and K‑12 districts may either pressure Instructure for transparency and remediation — or quietly absorb the damage, as has often happened with education‑sector breaches.