Canvas Cyberattack: What Schools and Colleges Need to Know
An ongoing data extortion attack targeting the widely used education technology platform Canvas has disrupted classes and coursework at schools and universities across the United States. A cybercrime group defaced the service's login page with a ransom demand, threatening to leak data from 275 million students and faculty across nearly 9,000 educational institutions. Below, we answer the most pressing questions about the incident, its impact, and what steps are being taken.
What exactly happened during the Canvas cyberattack?
On May 7, students and faculty at dozens of schools and universities were greeted by a ransom demand from the cybercrime group ShinyHunters instead of the usual Canvas login page. The group defaced the platform, threatening to release stolen data unless a ransom was paid. Instructure, Canvas's parent company, responded by taking the platform offline and replacing the portal with a message about scheduled maintenance. The attack follows an earlier data breach disclosed earlier that week, where ShinyHunters claimed responsibility and set an initial payment deadline of May 6, later extended to May 12.
Who is behind the attack on Canvas?
The attack is attributed to the cybercrime group known as ShinyHunters. This group has a history of targeting educational technology platforms and other services. They claimed responsibility for the Canvas breach and stated they would leak data on tens of millions of students and faculty unless their ransom demands were met. The extortion message that replaced the login page also advised affected schools to negotiate separate payments to prevent data publication, regardless of whether Instructure complied.
What types of data were stolen from Canvas users?
According to Instructure's May 6 statement, the stolen information includes "certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users." ShinyHunters claims the haul includes several billion private messages, along with names, phone numbers, and email addresses. However, Instructure has stated that they found no evidence of more sensitive data being compromised—such as passwords, dates of birth, government identifiers, or financial information. The company continues to investigate the full scope of the breach.
How did Instructure respond to the defacement and data breach?
Instructure first acknowledged the data breach earlier in the week, stating that the incident had been contained and that Canvas was fully operational. However, when the defacement attack occurred on May 7, the company quickly disabled the platform. The login page was replaced with a message stating "Canvas is currently undergoing scheduled maintenance. Check back soon." The company's status page also noted they anticipated being back online soon and would provide updates. The rapid response aimed to prevent further damage and reassure users while they worked to restore services.
How many schools and users are affected by this incident?
The attack has the potential to impact a massive number of users. ShinyHunters threatened to leak data from approximately 275 million students and faculty across nearly 9,000 educational institutions, including K-12 schools, colleges, and universities. Instructure's own disclosures have not confirmed the exact number of affected individuals, but the scale is clearly enormous. Given Canvas's widespread adoption, the disruption has been felt across the United States, particularly as many schools were in the midst of final exams when the outage occurred.
Why is the timing of this attack particularly damaging?
The attack could hardly have come at a worse time for Instructure and the affected institutions. Many schools and universities are in the middle of final exams, a period when Canvas is critical for submitting assignments, accessing course materials, and communicating with instructors. A prolonged outage could have severe academic consequences, potentially delaying grades or disrupting end-of-year procedures. Furthermore, the ransom demand and data breach have eroded trust in the platform, with students and faculty worried about the security of their personal information during a high-stress period.
Are passwords or financial data at risk from this breach?
According to Instructure's investigation so far, there is no evidence that passwords, dates of birth, government identifiers (such as Social Security numbers), or financial information were included in the stolen data. The company stated that the breach involved names, email addresses, student ID numbers, and internal messages. While the ShinyHunters group claims to have obtained phone numbers and extensive message data, the most sensitive credentials appear to have been secured. However, users should remain vigilant for phishing attempts and consider changing passwords as a precautionary measure.
What should affected schools and individuals do now?
Schools should immediately review their cybersecurity protocols and consider enabling multi-factor authentication if not already in place. It is also advisable to communicate with students and faculty about the breach, warning them of potential phishing emails that may try to exploit the situation. The extortion message from ShinyHunters suggested that affected schools negotiate their own ransom payments, but experts strongly advise against paying ransoms, as there is no guarantee data will not be leaked. Individuals should monitor their accounts for suspicious activity and report any unusual requests to their IT department.