Canvas Cyberattack: Widespread Disruption and Data Extortion at Schools Nationwide
A major security incident on the Canvas education platform caused widespread disruption across U.S. schools and universities. This Q&A explains the cyberattack, the data potentially stolen, and what it means for students and faculty.
1. What triggered the Canvas platform shutdown?
On May 7, 2025, students and faculty at dozens of institutions were met with a defaced Canvas login page displaying a ransom demand from the cybercrime group ShinyHunters. The group threatened to leak data from 275 million users across nearly 9,000 schools unless a ransom was paid. In response, Instructure, Canvas’s parent company, took the platform offline and replaced the login page with a “scheduled maintenance” message. The status page later stated they anticipated being back up soon.
2. Who is behind the attack and what are their demands?
The attack is attributed to ShinyHunters, a well-known extortion group. They initially set a payment deadline of May 6, which was later extended to May 12. The group claims to possess vast amounts of data, including names, phone numbers, email addresses, and billions of private messages between students and teachers. They have urged affected institutions to negotiate directly with them for the protection of their data—separate from any action by Instructure.
3. What data does Instructure confirm was stolen?
In a statement on May 6, Instructure disclosed that the breached information includes “certain identifying information” such as names, email addresses, and student ID numbers, as well as internal messages among users. Crucially, they found no evidence that passwords, dates of birth, government IDs, or financial data were compromised. The company emphasized that the incident was contained and no ongoing unauthorized activity was detected—until the defacement occurred the following day.
4. How have schools and students been affected?
The outage struck during a particularly sensitive period: many schools were administering final exams. Students and faculty flocked to social media to report being locked out of courses, assignments, and communication tools. While the stolen data may not be highly sensitive, the disruption itself has caused significant academic and administrative strain. A prolonged outage could damage Instructure’s reputation and trust among its institutional clients.
5. What steps has Instructure taken so far?
Instructure initially acknowledged the breach after ShinyHunters claimed responsibility. They disabled the platform after the defacement and replaced the login portal with a maintenance notice. The company’s status page reassured users that they were working to restore service and would provide updates. Instructure also claimed the incident was contained, though the defacement suggested otherwise. Their response has been viewed as reactive, raising questions about the security of cloud-based education tools.
6. What should affected institutions do next?
While Instructure works to restore normal operations, the extortion message advised schools to negotiate directly with ShinyHunters to prevent data publication. However, cybersecurity experts generally discourage paying ransoms, as it may encourage further attacks and does not guarantee data deletion. Institutions should instead focus on securing their own systems, communicating with users transparently, and following guidance from law enforcement and cybersecurity teams.
7. Could the breach have been prevented?
The exact method of the breach remains undisclosed, but the incident highlights vulnerabilities in large-scale education platforms. Many schools have since called for stronger access controls, regular security audits, and better contingency planning. The timing—during finals—underscores the cascading risks of relying on a single vendor for critical academic operations. This event will likely accelerate industry-wide discussions about cybersecurity standards for edtech providers.