Loading...
Loading...
A coordinated extortion campaign by the ShinyHunters group forced Instructure to take its Canvas LMS offline after claiming theft of hundreds of millions of student and staff records across thousands of institutions. Instructure confirmed a breach exposing names, emails, student IDs and private messages, while attackers defaced school login pages and demanded payment to avoid publication. The incident disrupted finals, grading and communications, with universities scrambling to assess exposure and investigators probing use of export APIs and data access controls. The episode exposes systemic risks of centralized cloud-based edtech, weak governance, and long-term privacy harms for students and educators.
Canvas operator Instructure temporarily took the learning platform offline after detecting unauthorized activity tied to a threat actor that had earlier accessed user data; service was restored by Friday. The attacker — ransomware group ShinyHunters — claimed responsibility and posted a ransom demand during peak final-exam periods, saying it had data on 275 million people across 8,800 schools. Instructure said exposed data included names, emails, student IDs and messages but not passwords, birthdates, government IDs or financial information. The outage forced multiple universities to postpone or reschedule finals, underscoring persistent cybersecurity risks for edtech and the wider fallout when cloud education platforms are disrupted.
Canvas parent company Instructure was forced to take its LMS offline after the cybercrime group ShinyHunters defaced Canvas login pages with a ransom demand and claimed data from 275 million students and staff across nearly 9,000 institutions. Instructure had already acknowledged a breach earlier in the week and said stolen data included names, emails, student IDs and internal messages but not passwords or financial data. The extortion post urged schools to negotiate individual ransoms; some universities reportedly contacted the attackers. The outage hit during finals, disrupting classes and prompting criticism of Instructure for labeling the outage as "scheduled maintenance." The incident underscores risks to education tech and the impact of ransomware/extortion on critical cloud services.
Instructure’s Canvas platform was breached by the ShinyHunters ransomware group, locking students out and reportedly exfiltrating messages and data for more than 275 million people. Instructure confirmed stolen personal information including names, emails, student IDs and user messages, and said the service had been breached twice, once on April 29 and again on Thursday. The outage disrupted finals, grading and campus communications, underscoring risks from centralizing education data in a single cloud provider. Digital librarian Ian Linkletter called it “the biggest student data privacy disaster in history,” warning the scale and sensitivity of leaked messages enable targeted phishing and long-term privacy harms. The incident spotlights systemic EdTech security and governance failures.
Brian Krebs / Krebs on Security : Instructure disables its Canvas edtech platform, used by thousands of schools and universities, amid a data extortion attack claimed by ShinyHunters — An ongoing data extortion attack targeting the widely-used education technology platform Canvas disrupted classes and coursework …
Canvas owner Instructure took its LMS offline after the cybercrime group ShinyHunters defaced the service’s login page and demanded ransom over a claimed breach impacting data from up to 275 million students and staff across nearly 9,000 institutions. Instructure had earlier acknowledged a breach and said stolen data may include names, emails, student IDs and messages, but not passwords or financial data; it initially reported the incident contained and Canvas operational. The defacement and extortion forced schools into disruption during finals, prompted some universities to consider paying, and raised criticism over Instructure’s handling and status messaging while investigators and security firms probe the ongoing extortion and potential data exposure.
Hackers tied to the ShinyHunters group have reportedly defaced Canvas login pages for several schools after claiming responsibility for a prior Instructure breach that exposed student names, emails, and teacher-student messages. TechCrunch observed altered login screens on three schools where attackers injected an HTML file displaying a message threatening to publish stolen data on May 12 unless Instructure pays a settlement. Instructure’s main site showed intermittent errors and Canvas displayed a maintenance notice; the company hasn’t commented. ShinyHunters says this is a separate compromise and has previously claimed data from nearly 9,000 schools affecting about 231 million people, signaling an escalation in its extortion campaign against education customers.
Hackers affiliated with the ShinyHunters group allegedly defaced Canvas login pages for multiple schools after previously claiming a data breach at education tech provider Instructure. TechCrunch observed HTML injections on three schools’ portals displaying a message that threatened to publish stolen student data on May 12 unless Instructure negotiated a settlement. ShinyHunters had earlier publicized a breach and claimed data on roughly 231 million people across nearly 9,000 schools. Instructure’s main site showed partial availability and maintenance notices while the company had not commented. The incident highlights ongoing extortion tactics targeting edtech infrastructure and raises concerns about student privacy and the security of cloud-based learning platforms.
Canvas, the Instructure-owned learning management platform, is offline after a ransomware-style incident tied to the ShinyHunters hacking group. Students encountered a ransom message on Thursday claiming ShinyHunters breached Instructure and threatening to publish data from roughly 9,000 schools — allegedly affecting 275 million students, teachers, and staff — unless paid by May 12, 2026. Instructure said it recently applied security patches after confirming a major data breach that exposed names, emails, ID numbers, and messages; Canvas, Canvas Beta, and Canvas Test are currently unavailable while the company investigates. The episode underscores risks to education tech providers and the large-scale consequences of breaches in cloud-based LMS platforms.
Canvas, the Instructure-owned learning management system, is offline after a ransomware-style incident in which the hacking group ShinyHunters claimed responsibility and threatened to leak data from thousands of schools. The group posted a ransom note on affected Canvas instances and a link to a list it alleges includes 9,000 schools and data on 275 million students, teachers, and staff; it demanded contact and payment by May 12, 2026. Instructure had said it recently deployed security patches after confirming a breach that exposed names, emails, ID numbers, and messages. Canvas’s status page shows outages for production, beta, and test environments as the company investigates.
ShinyHunters claims it stole 280 million records from 8,809 institutions tied to Instructure's Canvas LMS, alleging use of Canvas export features and APIs to harvest hundreds of gigabytes of student, staff and enrollment data. Instructure confirmed a breach and that names, email addresses and private messages were exposed; the extortion group posted a per-institution record list seen by BleepingComputer. Universities including Colorado Boulder, Rutgers and Tilburg have issued statements as investigations continue, though BleepingComputer and affected schools have not independently verified the full list. The incident underscores risks in edtech cloud platforms, data-export controls, and third-party security for millions of users.
Hackers deface school login pages after claiming another Instructure hack
ShinyHunters, an extortion-focused cybercrime group, claims it stole 280 million records from 8,809 schools, districts, universities and online education platforms linked to Instructure's Canvas LMS. Instructure disclosed an ongoing investigation and confirmed a breach exposing user names, emails and private messages; the threat actor says they used Canvas export features (DAP queries, provisioning reports, user APIs) to harvest hundreds of gigabytes of records, messages and enrollment data. BleepingComputer obtained a leaked list with per-institution record counts but has not independently verified impact for specific organizations. Several universities have started issuing notices while Instructure has not yet provided detailed public responses. The incident highlights risks to education tech platforms and large-scale data exposure for students and staff.