The Canvas education platform was taken offline today after the cybercrime group ShinyHunters defaced its login page with a ransom demand, claiming it had stolen data on 275 million students and faculty at nearly 9,000 institutions 1.
The defacement disrupted classes and coursework at dozens of U.S. school districts and universities, many of them in the middle of final exams, according to reports from affected users and social media posts 1.
Instructure, Canvas’s parent company, disabled the platform after the extortion message appeared and replaced the portal with a notice saying, "Canvas is currently undergoing scheduled maintenance. Check back soon," while its status page said updates would follow 1.
ShinyHunters claimed responsibility for a breach earlier this week and initially set a ransom deadline of May 6, later pushing it to May 12; the group said the stolen data included names, email addresses, student ID numbers and messages among users 1.
Instructure’s May 6 statement said the investigation shows the stolen information included "certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users," and that it had not found evidence of passwords, dates of birth, government identifiers or financial information being exposed 1.
The extortion message reportedly told each affected school to negotiate its own ransom to prevent publication of its data, regardless of any payment decision by Instructure; ShinyHunters also claimed the haul includes "several billion private messages among students and teachers" 1.
A source close to the investigation told KrebsOnSecurity that several universities have already approached the cybercrime group about paying; the timing of the outage—during final exams at many institutions—has amplified the disruption and potential damage to Instructure 1.
ops.llm_calls. Every fact traces to a citation. If a fact looks wrong, write to corrections.