Major Cyber Attack on Instructure Canvas Disrupts Educational Institutions Across the U.S.
A recent cyber attack on the widely-utilized Instructure Canvas learning management system (LMS) has wreaked havoc for schools and universities throughout the United States, coinciding with a crucial period as students prepare for finals. This incident poses a significant risk to the personal data of millions of students and teachers engaged in online learning.
Reports emerged on Thursday from multiple educational institutions experiencing outages related to the Canvas platform. Users reported being confronted with ransom messages displayed directly on school Canvas homepages. According to Instructure, the company sustaining the platform, Canvas currently supports over 30 million active users globally. By late Thursday, most services had reportedly returned to normal; however, Canvas Beta and Canvas Test functions remained in maintenance mode, leaving certain features inaccessible.
Responsibility for this cyber assault has been attributed to the ransomware group ShinyHunters, which has claimed to have compromised data pertaining to more than 275 million individuals across nearly 9,000 educational institutions. In a ransom note disseminated by the group, they threatened to leak “billions of private messages” shared between students and teachers unless a response was received from Instructure by May 12.
High-profile colleges and public schools, including revered institutions like Harvard University, Princeton University, Columbia University, and Georgetown University, have reported receiving ransom letters through their respective Canvas portals. This revelation has added layers of anxiety for students already grappling with the pressures of exams and assignments, thus amplifying their stress levels during an already challenging period.
While Instructure has yet to provide official confirmation regarding the extent of the alleged data leak or validate the claims made by ShinyHunters, the incident underscores the escalating vulnerabilities of educational technology platforms that aggregate vast amounts of personal student information in the cloud.
Security Experts Weigh In
Nathaniel Jones, Vice President of Security & AI Strategy and Field CISO at Darktrace, remarked on the pattern of attacks perpetrated by ShinyHunters. He stated that such incidents are becoming increasingly commonplace, as the group follows a consistent strategy: targeting widely used platforms, exploiting their vulnerabilities, and leveraging the resulting data against the educational institutions that rely on their services. The education sector, with its wealth of sensitive student data and often limited security resources, represents a particularly appealing target for cybercriminals. Jones emphasized that when a single platform goes down, it compromises its thousands of customers.
Darren Guccione, CEO and Co-Founder of Keeper Security, elaborated on the severity of this breach, indicating that the scale of the incident—which encompasses hundreds of millions of users—marks it as a high-value target for ShinyHunters. He noted that educational platforms accumulate a unique concentration of confidential data, including personal identifiers and private communications, which makes this type of breach particularly consequential.
This is not the first instance where Instructure has found itself on the radar of ShinyHunters. Back in September 2025, the group managed to breach the company’s Salesforce environment via social engineering tactics. ShinyHunters now asserts that they infiltrated the same environment anew through a vulnerability, which has since been addressed. This suggests a troubling pattern: the same group targeting the same platform may indicate that the initial security measures taken were insufficient.
Protecting Against Future Incidents
The attack on Canvas raises essential questions about the long-term safety of training and educational technologies. Security experts advocate that firms operating Software as a Service (SaaS) platforms adopt continuous identity and access governance. This approach should focus on strict auditing and enforcement of permission controls, particularly as platforms increasingly transition to cloud environments.
Tony Jarvis, Vice President and Field CISO at Darktrace, noted the staggering potential ramifications of this ransomware attack, highlighting that nearly 9,000 schools and universities are affected, which translates to a potential impact on 275 million individuals. The timing of the attack complicates matters further, coinciding with final assignment submissions for many students.
For affected students, Jarvis recommends adopting security measures such as changing passwords, enabling multi-factor authentication, and remaining vigilant against possible phishing attempts, even if they perceive themselves as not directly impacted.
The Broader Implications
Hüseyin Can Yüceel, security research lead at Picus Security, emphasized that ShinyHunters has established itself as a disciplined, financially driven threat actor. Their methodology blends social engineering with long-term technical persistence, thereby making them particularly dangerous.
Within the realm of educational data breaches, the materials compromised often belong to minors. Muhammad Yahya Patel, vCISO and cybersecurity advisor for EMEA at Huntress, underscored the unique vulnerability of educational institutions. With personal information at stake—including names, email addresses, and student identifiers—the long-term consequences of identity theft, social engineering, and personal safeguarding are significant and troubling.
As the educational sector continues to emerge as a prime target for cybercriminal actors like ShinyHunters, the implications of such breaches resonate beyond immediate financial impacts. Educational institutions find themselves at a crossroads, with data security becoming increasingly paramount to protect vulnerable populations from the lasting repercussions of cyber attacks.