In a cyber incident sending shockwaves through education systems globally, the popular learning platform Canvas was hit by a sophisticated breach claimed by the notorious hacking group ShinyHunters.
On May 7, users attempting to log in were greeted with a ransom message demanding payment by May 12 or face the release of billions of private messages, names, emails, and student IDs.
The attack, which began quietly in late April, escalated dramatically this week when the group defaced login pages and took major portions of the system offline.Canvas, operated by Instructure, powers courses for over 40% of North American higher-education institutions and thousands more worldwide.
Officials confirmed the compromise involved cloud-hosted data affecting an estimated 275 million records across nearly 9,000 schools.
Universities from UC Berkeley to Ivy League campuses reported outages during final exams and grading periods, leaving students unable to submit assignments or access materials.ShinyHunters, previously responsible for high-profile attacks on Ticketmaster and several universities, published a list of affected institutions and warned that “several billions of private messages” containing sensitive conversations would be leaked unless demands were met.
Instructure restored most services by early May 8 after revoking credentials and implementing emergency fixes, but the company has remained largely silent on ransom negotiations.
Parents, educators, and cybersecurity experts are now urging immediate password changes and multi-factor authentication. The breach has exposed the vulnerability of the digital infrastructure millions rely on daily, raising urgent questions about data protection in education.
As the May 12 deadline approaches, the world is watching to see whether this becomes one of the largest education data leaks in history—or if a quiet resolution will keep the stolen information from public view.