The Canvas Hack Is a New Kind of Ransomware Debacle
Higher education institutions have frequently been targets of ransomware groups and efforts to extort data, but a cyberattack on a single software platform has rarely disrupted the everyday functioning of thousands of schools so extensively. Canvas, a widely adopted digital learning platform, was placed into “maintenance mode” following a data breach at Instructure, the company behind it, and an extortion attempt by hackers known as “ShinyHunters.” Although the perpetrators had been promoting the breach and seeking ransom since early May, the situation became urgent Thursday when Canvas downtime led to widespread disruption at schools, many of which were in crucial academic periods such as finals and year-end tasks.
Prominent universities including Harvard, Columbia, Rutgers, and Georgetown alerted their students to the breach, while numerous school districts across at least twelve states reported impact. The attackers claimed on their dark web site to have breached over 8,800 schools, though the precise extent and reach remain uncertain. The Canvas platform remained inaccessible during much of Thursday afternoon and evening, adding complexity to the situation. Instructure’s chief information security officer, Steve Proud, logged updates beginning May 1, confirming a criminal cybersecurity incident and outlining that compromised data involved names, emails, student IDs, and user messages on the platform.
By Wednesday, the incident was marked as resolved, with Canvas fully operational and no ongoing unauthorized activity detected. However, on Thursday, the system status page noted login difficulties with Student ePortfolios, and soon after Canvas and its related services were put into maintenance mode. By late evening, Canvas was restored for most users. Reports suggested that attackers launched a secondary wave of assaults, defacing some schools’ Canvas login portals with a message urging institutions to engage cyber advisory firms and negotiate settlements before a May 12 deadline to avoid data leaks. Harvard’s Canvas login page was among those modified to display the hackers’ message containing a list of affected schools, though the exact information about Harvard affiliates was unclear.
Instructure did not immediately respond to inquiries about the outages or their relationship to the broader breach, but the potential exposure of a vast amount of student information highlights the serious nature of this prolonged and escalating issue of ransomware and data extortion. The ShinyHunters moniker is associated with substantial data leakages and linked to the hacker collective known as Com, though over time multiple attackers have adopted similar names without clear connection to the original group. The current activity appears tied to a faction sometimes called ScatteredLapsus$Hunters, according to cybersecurity experts tracking the situation.
Earlier Thursday, the hackers’ dark web presence named Instructure and its client schools as victims and complained in a public note about the company’s refusal to engage in ransom negotiations, accusing it of disregard for affected students and institutions. Later, references to Instructure and its users were removed and the site eventually became unresponsive. Analysts note that such removals can be either a tactic following ransom payments or a strategy to pressure victims into paying. Negotiations with these groups often intensify into extreme coercive actions such as denial-of-service attacks, inundation with calls and emails, and even threats targeting executives’ families, tactics resembling mafia-like behavior more than traditional hacking.
The hackers also listed other known ShinyHunters victims on their site, including Amtrak, University of Pennsylvania, and several entertainment and dating companies, though it’s not confirmed whether these breaches are related to the same subgroup responsible for the Canvas incident. Experts caution that sometimes old or recycled data is used to inflate breach claims. Despite this, the current attack’s scope and disruption are genuine, marking a significant escalation for this ransomware group. This case underlines the enduring global challenge of cybercrime, emphasizing the urgent need for international cooperation among governments to combat extortionists exploiting vulnerable educational communities and protecting students from ongoing threats.
