Canvas Cyberattack: Key Questions and Answers About the ShinyHunters Breach

In early May 2025, a major cybersecurity incident struck Instructure's Canvas platform, a learning management system used by thousands of schools and universities across the United States. The attack, carried out by the cybercrime group ShinyHunters, involved defacing the Canvas login page with a ransom demand and threatening to leak data from 275 million students and faculty. This disruption hit during final exams, causing widespread concern and confusion. Below, we address the most pressing questions about this breach.

1. What exactly happened in the Canvas cyberattack?

On May 7, 2025, a criminal group known as ShinyHunters defaced the login page of Canvas, the popular education technology platform owned by Instructure. Instead of the usual login interface, users saw a ransom demand threatening to release stolen data unless a payment was made. This defacement followed a data breach earlier that week. In response, Instructure took Canvas offline, replacing the portal with a message about scheduled maintenance. The attack disrupted classes and coursework at school districts and universities nationwide, with social media flooded by reports from students and faculty unable to access their assignments or communications.

Canvas Cyberattack: Key Questions and Answers About the ShinyHunters Breach — Source: krebsonsecurity.com

2. Who is behind the attack, and what are their demands?

The attack is attributed to ShinyHunters, a well-known cybercrime group that specializes in data extortion. The group claimed responsibility for the initial data breach and posted a ransom demand on the Canvas login page. The demand threatened to leak stolen information belonging to 275 million users across nearly 9,000 educational institutions unless a ransom was paid. The original deadline was set for May 6, but it was later extended to May 12. ShinyHunters also advised affected schools to negotiate separate ransom payments directly with them to prevent their data from being published, regardless of whether Instructure paid the ransom.

3. What type of data was stolen, and how sensitive is it?

According to Instructure's investigation, the stolen data includes certain identifying information such as names, email addresses, and student ID numbers, as well as private messages exchanged among users. The company stated that there is no evidence that more sensitive data like passwords, dates of birth, government identifiers, or financial information was accessed. However, ShinyHunters claims the dataset is far larger and includes billions of private messages, phone numbers, and email addresses. Even though the compromised data may not be highly sensitive by itself, its exposure could facilitate phishing attacks and identity theft, especially given the scale of the breach.

4. How did Instructure respond to the breach and the login page defacement?

Instructure first acknowledged the data breach on May 5, stating that they had contained the incident and found no ongoing unauthorized activity. However, on May 7, when the defacement occurred, the company immediately disabled Canvas and replaced the login page with a message that the system was undergoing scheduled maintenance. Their status page indicated they anticipated being back up soon. In a statement, Instructure said they were working to restore services and would provide updates as needed. The response aimed to prevent further exposure and to control the narrative, but it also caused significant disruption for schools in the middle of final exams.

5. Why was the timing of this attack particularly damaging?

The attack came at an especially critical time for educational institutions: many were in the midst of final examinations and end-of-semester grading. Canvas serves as a central hub for submitting assignments, accessing course materials, and communicating with instructors. Any extended outage can delay grades, disrupt exam schedules, and create confusion among students and faculty. The defacement added shock and worry, as users saw a ransom demand instead of their coursework. For Instructure, the incident could harm its reputation and lead to loss of trust among its clients, especially since schools rely on the platform during high-stakes academic periods.

6. What can affected students and faculty do to protect themselves?

Students and faculty at affected institutions should first check official communications from their school or district for guidance. They should change their Canvas passwords immediately and ensure they use strong, unique passwords across different platforms. It is also wise to enable multi-factor authentication if available. Be vigilant for phishing emails that may try to exploit the breach—cybercriminals often use stolen email addresses to send malicious links. Avoid clicking on suspicious links in messages, especially those claiming to be from Canvas or Instructure. Monitor your accounts for unusual activity and report any identity theft concerns to your school's IT department or local authorities.

7. Is there a ransom deadline, and what are the risks if it's not paid?

The ransom deadline set by ShinyHunters was initially May 6 but was later pushed back to May 12. It remains unclear whether Instructure or any individual schools paid the ransom. If the deadline passes without payment, the group threatens to release the stolen data publicly. This could include names, email addresses, student IDs, and private messages. While no financial data or passwords were compromised according to Instructure, the release of such information could lead to targeted scams, harassment, or identity theft attempts. The risk is significant given the large number of users—275 million—which would make this one of the largest education data leaks in history.

8. What is the current status of the Canvas platform?

As of the latest updates, Canvas was taken offline by Instructure on May 7 following the defacement. The company replaced the login portal with a maintenance message and stated they hoped to restore services soon. At the time of reporting, no specific restoration timeline was given. Instructure's status page indicated they were working on the issue. It is recommended that users follow their school's announcements for updates on when Canvas will be accessible again. The incident is ongoing, and further developments may arise, especially with the ransom deadline approaching.

Tags: