Canvas Cyberattack: Key Questions and Answers About the Education Platform Breach

In early May 2025, the widely used education technology platform Canvas experienced a significant cyberattack. A group known as ShinyHunters defaced the login page with a ransom demand and threatened to leak data from 275 million students and faculty across nearly 9,000 institutions. The incident disrupted classes and exams nationwide, prompting parent company Instructure to temporarily take the platform offline. This Q&A explains the key details, impact, and responses surrounding the breach.

What exactly happened in the Canvas breach?

On May 7, 2025, users of the Canvas learning management system were greeted by a ransom note instead of the usual login page. The cybercrime group ShinyHunters claimed responsibility, stating they had stolen massive amounts of data and would release it unless a ransom was paid. Instructure, Canvas's parent company, responded by disabling the platform and displaying a “scheduled maintenance” message. The attack came just days after Instructure had acknowledged a breach of user information, which initially seemed contained. The defacement marked an escalation, forcing Instructure to prioritize security and system restoration while millions of students and educators faced disruption during final exam season.

Who is behind the attack, and what are their demands?

The group behind the attack is ShinyHunters, a known cybercrime collective infamous for data breaches and extortion. In this case, they demanded a ransom from Instructure to prevent the release of stolen data, setting an initial deadline of May 6 that was later extended to May 12. Additionally, the defacement message encouraged affected schools to negotiate separate payments to avoid public exposure of their specific data. This tactic of double extortion—targeting both the platform provider and individual institutions—is a common ransomware strategy. ShinyHunters claimed the stolen data includes billions of private messages, names, email addresses, and phone numbers, escalating pressure on all parties involved.

What type of data was stolen, and is it sensitive?

According to Instructure, the stolen information includes “certain identifying information” such as names, email addresses, student ID numbers, and messages exchanged between users. The company stated that no evidence suggests passwords, dates of birth, government identifiers, or financial data were compromised. However, ShinyHunters claims to hold additional data, including phone numbers and billions of private messages. While the lack of highly sensitive data like Social Security numbers reduces identity theft risks, the exposure of personal communications and contact details still poses privacy concerns. Schools and users should remain vigilant for phishing attempts or other secondary attacks exploiting the leaked information.

How did Instructure respond to the incident?

Instructure’s initial response was to acknowledge a data breach on May 5, stating that the incident appeared contained and Canvas remained operational. However, after the May 7 defacement, the company immediately pulled Canvas offline and replaced the login portal with a maintenance notice. They also issued a public statement promising updates and emphasizing that they were working to restore services safely. As of May 8, the status page indicated that Canvas would be back online soon. The company’s swift action to shut down the platform demonstrates a priority on preventing further unauthorized access, though the disruption has frustrated many users—especially those in the midst of final exams and end-of-year grading.

What impact has the breach had on schools and students?

The timing of the attack was particularly damaging: many U.S. schools and universities were conducting final exams and wrapping up coursework. With Canvas inaccessible, instructors could not post assignments, manage submissions, or communicate with students. Learners were left unable to take scheduled tests or access essential course materials. Social media flooded with complaints and confusion, with some students fearing they might fail courses due to the outage. The incident not only disrupted academic schedules but also raised concerns about the reliability of third-party educational platforms. Prolonged downtime could harm Instructure's reputation and push institutions to reconsider their reliance on Canvas for critical academic operations.

What should affected institutions and individuals do now?

Schools and universities affected by the breach should immediately notify their communities about the incident and advise caution. They should implement enhanced monitoring for phishing emails or scams that might use the stolen data. Users should change passwords on their Canvas accounts once the platform is restored—and on any other accounts that share similar credentials. Institutions may also consider negotiating directly with ShinyHunters as suggested in the ransom note, though law enforcement typically advises against paying. Long-term, this incident highlights the need for districts and universities to have contingency plans for technology outages, including offline backups of grades and alternative communication channels.