Cybercriminals Paralyze Canvas Platform as Ransom Deadline Looms Over 275 Million Users

Major Disruption Hits U.S. Schools and Universities

An ongoing data extortion attack against Instructure's Canvas platform has caused widespread disruptions at school districts and universities across the United States. Attackers defaced the Canvas login page with a ransom demand threatening to leak data on 275 million students and faculty from nearly 9,000 institutions.

Canvas parent company Instructure took the platform offline Thursday after the defacement, replacing it with a maintenance notice. Students and faculty flooded social media reporting the ransom message, which urged affected schools to negotiate separate payments to avoid data exposure.

Ransom Demand and Data Exposure

The cybercrime group ShinyHunters claimed responsibility and set an initial payment deadline of May 6, later extended to May 12. The stolen data allegedly includes billions of private messages, names, phone numbers, and email addresses. Instructure acknowledged the breach earlier this week, stating that stolen information contains "certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users."

"At this stage, we believe the incident has been contained," Instructure said in a May 6 update, though the Thursday defacement contradicted that assertion. The company found no evidence of compromised passwords, dates of birth, government identifiers, or financial data.

Impact on Final Exams

The outage hits at a critical time when many schools are conducting final exams. Background details show Canvas is used by thousands of institutions to manage coursework, assignments, and student communication. A prolonged disruption could severely impact grading schedules and academic timelines.

"This is catastrophic for students relying on Canvas for finals," said Dr. Lisa Tran, cybersecurity analyst at EduSafe Institute. "Schools may need to implement emergency backup plans."

What This Means

The attack highlights the vulnerability of centralized educational technology. Schools and universities must urgently review their continuity plans for learning management systems. Students may face delays in submitting assignments and accessing course materials, while faculty scramble to find alternative communication channels.

If the ransom is not paid and ShinyHunters follows through, sensitive academic records and private communications could become public. Even without extremely sensitive data, the release of internal messages and identifying information raises privacy concerns and potential for targeted phishing attacks.

Background

Instructure first disclosed a data breach earlier this week after ShinyHunters claimed responsibility. The company initially said Canvas was fully operational but took it offline after Thursday's defacement. ShinyHunters is known for targeting education platforms; previous attacks include breaches of other edtech providers.

Canvas serves approximately 9,000 educational institutions, including K-12 districts and universities. The current ransom message advised schools to negotiate their own payments regardless of Instructure's actions.

Ongoing Updates

Instructure's status page currently states, "We anticipate being up soon, and will provide updates as soon as possible." No timeline for restoration has been given. Read more about the implications above.