Massive Canvas Breach Rocks EdTech Trust

Canvas, the learning-management platform by Instructure, was restored after a breach traced to compromised 'free-for-teacher' accounts, likely created with weak protections. Attackers used these teacher accounts to escalate access and exfiltrate data, prompting a full service outage and emergency remediation. Instructure has been reverting affected credentials, forcing password resets, and restoring services while investigating the scope of stolen data. The incident highlights risks from low-friction account sign-ups and insufficient access controls in edtech, underscoring the need for stronger authentication, monitoring, and vendor security practices across education platforms. Customers and institutions are being advised to review account provisioning and apply multi-factor authentication.

Canvas operator Instructure temporarily took the platform offline after a cyberattack by the ShinyHunters ransomware group disrupted access during US final exams; the company restored service by Friday morning but had earlier identified unauthorized activity and a related data breach disclosed a week prior. ShinyHunters claimed it stole data tied to 275 million people across 8,800 schools and posted a ransom demand on Canvas login pages, prompting universities — including the University of Illinois and University of Massachusetts Dartmouth — to postpone or reschedule finals. Instructure says stolen data included names, emails, student IDs and messages, but not passwords or financial or government identifiers. The incident underscores persistent risks to education tech and large-scale clouded-data supply-chain exposure.

Canvas, the widely used US online education platform developed by Instructure, suffered a cyberattack on May 7 that briefly disrupted service after unauthorized parties altered platform pages. Instructure took the platform offline as a precaution, began an investigation and restored most user access the evening of May 7; by May 8 the company said Canvas was fully back online. Instructure has retained external experts and says it is working to minimize impacts from the incident. The outage affected institutions across the US, underscoring risks to digital education infrastructure and the importance of incident response and forensic review.

Canvas operator Instructure temporarily took the learning platform offline after detecting unauthorized activity tied to a threat actor that had earlier accessed user data; service was restored by Friday. The attacker — ransomware group ShinyHunters — claimed responsibility and posted a ransom demand during peak final-exam periods, saying it had data on 275 million people across 8,800 schools. Instructure said exposed data included names, emails, student IDs and messages but not passwords, birthdates, government IDs or financial information. The outage forced multiple universities to postpone or reschedule finals, underscoring persistent cybersecurity risks for edtech and the wider fallout when cloud education platforms are disrupted.

Canvas parent company Instructure was forced to take its LMS offline after the cybercrime group ShinyHunters defaced Canvas login pages with a ransom demand and claimed data from 275 million students and staff across nearly 9,000 institutions. Instructure had already acknowledged a breach earlier in the week and said stolen data included names, emails, student IDs and internal messages but not passwords or financial data. The extortion post urged schools to negotiate individual ransoms; some universities reportedly contacted the attackers. The outage hit during finals, disrupting classes and prompting criticism of Instructure for labeling the outage as "scheduled maintenance." The incident underscores risks to education tech and the impact of ransomware/extortion on critical cloud services.

Instructure’s Canvas platform was breached by the ShinyHunters ransomware group, locking students out and reportedly exfiltrating messages and data for more than 275 million people. Instructure confirmed stolen personal information including names, emails, student IDs and user messages, and said the service had been breached twice, once on April 29 and again on Thursday. The outage disrupted finals, grading and campus communications, underscoring risks from centralizing education data in a single cloud provider. Digital librarian Ian Linkletter called it “the biggest student data privacy disaster in history,” warning the scale and sensitivity of leaked messages enable targeted phishing and long-term privacy harms. The incident spotlights systemic EdTech security and governance failures.

Brian Krebs / Krebs on Security : Instructure disables its Canvas edtech platform, used by thousands of schools and universities, amid a data extortion attack claimed by ShinyHunters — An ongoing data extortion attack targeting the widely-used education technology platform Canvas disrupted classes and coursework …

Canvas owner Instructure took its LMS offline after the cybercrime group ShinyHunters defaced the service’s login page and demanded ransom over a claimed breach impacting data from up to 275 million students and staff across nearly 9,000 institutions. Instructure had earlier acknowledged a breach and said stolen data may include names, emails, student IDs and messages, but not passwords or financial data; it initially reported the incident contained and Canvas operational. The defacement and extortion forced schools into disruption during finals, prompted some universities to consider paying, and raised criticism over Instructure’s handling and status messaging while investigators and security firms probe the ongoing extortion and potential data exposure.

Hackers tied to the ShinyHunters group have reportedly defaced Canvas login pages for several schools after claiming responsibility for a prior Instructure breach that exposed student names, emails, and teacher-student messages. TechCrunch observed altered login screens on three schools where attackers injected an HTML file displaying a message threatening to publish stolen data on May 12 unless Instructure pays a settlement. Instructure’s main site showed intermittent errors and Canvas displayed a maintenance notice; the company hasn’t commented. ShinyHunters says this is a separate compromise and has previously claimed data from nearly 9,000 schools affecting about 231 million people, signaling an escalation in its extortion campaign against education customers.

Hackers affiliated with the ShinyHunters group allegedly defaced Canvas login pages for multiple schools after previously claiming a data breach at education tech provider Instructure. TechCrunch observed HTML injections on three schools’ portals displaying a message that threatened to publish stolen student data on May 12 unless Instructure negotiated a settlement. ShinyHunters had earlier publicized a breach and claimed data on roughly 231 million people across nearly 9,000 schools. Instructure’s main site showed partial availability and maintenance notices while the company had not commented. The incident highlights ongoing extortion tactics targeting edtech infrastructure and raises concerns about student privacy and the security of cloud-based learning platforms.

Canvas, the Instructure-owned learning management platform, is offline after a ransomware-style incident tied to the ShinyHunters hacking group. Students encountered a ransom message on Thursday claiming ShinyHunters breached Instructure and threatening to publish data from roughly 9,000 schools — allegedly affecting 275 million students, teachers, and staff — unless paid by May 12, 2026. Instructure said it recently applied security patches after confirming a major data breach that exposed names, emails, ID numbers, and messages; Canvas, Canvas Beta, and Canvas Test are currently unavailable while the company investigates. The episode underscores risks to education tech providers and the large-scale consequences of breaches in cloud-based LMS platforms.

Canvas, the Instructure-owned learning management system, is offline after a ransomware-style incident in which the hacking group ShinyHunters claimed responsibility and threatened to leak data from thousands of schools. The group posted a ransom note on affected Canvas instances and a link to a list it alleges includes 9,000 schools and data on 275 million students, teachers, and staff; it demanded contact and payment by May 12, 2026. Instructure had said it recently deployed security patches after confirming a breach that exposed names, emails, ID numbers, and messages. Canvas’s status page shows outages for production, beta, and test environments as the company investigates.

ShinyHunters claims it stole 280 million records from 8,809 institutions tied to Instructure's Canvas LMS, alleging use of Canvas export features and APIs to harvest hundreds of gigabytes of student, staff and enrollment data. Instructure confirmed a breach and that names, email addresses and private messages were exposed; the extortion group posted a per-institution record list seen by BleepingComputer. Universities including Colorado Boulder, Rutgers and Tilburg have issued statements as investigations continue, though BleepingComputer and affected schools have not independently verified the full list. The incident underscores risks in edtech cloud platforms, data-export controls, and third-party security for millions of users.

Hackers deface school login pages after claiming another Instructure hack

ShinyHunters, an extortion-focused cybercrime group, claims it stole 280 million records from 8,809 schools, districts, universities and online education platforms linked to Instructure's Canvas LMS. Instructure disclosed an ongoing investigation and confirmed a breach exposing user names, emails and private messages; the threat actor says they used Canvas export features (DAP queries, provisioning reports, user APIs) to harvest hundreds of gigabytes of records, messages and enrollment data. BleepingComputer obtained a leaked list with per-institution record counts but has not independently verified impact for specific organizations. Several universities have started issuing notices while Instructure has not yet provided detailed public responses. The incident highlights risks to education tech platforms and large-scale data exposure for students and staff.