Canvas Cyberattack: What Schools Need to Know About the Breach and Outage

A widespread cyberattack on Canvas, the leading learning management system used by thousands of schools and universities, has disrupted coursework and final exams across the United States. Threat actors defaced the login page with a ransom demand, and the platform was taken offline. This Q&A breaks down the incident, its implications, and steps to stay safe.

What exactly happened in the Canvas breach?

On May 7, students and faculty at dozens of institutions found that the Canvas login page had been replaced with a ransom note from the cybercrime group ShinyHunters. The group threatened to leak data from 275 million users across nearly 9,000 educational institutions unless a ransom was paid. Canvas parent company Instructure responded by disabling the platform entirely and displaying a maintenance message. This defacement came after Instructure had already acknowledged a data breach earlier in the week. Learn more about ShinyHunters.

Who is the ShinyHunters group and what do they want?

ShinyHunters is a cybercrime group known for high-profile data extortion attacks. In this case, they claimed responsibility for stealing data from Canvas and initially set a ransom deadline of May 6, later extended to May 12. The extortion message advised affected institutions to negotiate separate ransom payments to prevent publication of their data, regardless of whether Instructure paid. The group has a history of targeting educational technology platforms and selling stolen data.

What kind of data was stolen from Canvas users?

According to Instructure's investigation as of May 6, the stolen data includes identifying information such as names, email addresses, and student ID numbers, as well as messages among users. ShinyHunters claims to have several billion private messages plus phone numbers, but Instructure found no evidence that passwords, dates of birth, government identifiers, or financial information were compromised. The company stated the incident was contained and no ongoing unauthorized activity was detected.

How did Instructure respond to the attack and outage?

Instructure initially confirmed the breach on May 5 and said Canvas was fully operational. However, when the defacement occurred on May 7, they immediately took Canvas offline, replacing the login page with a scheduled maintenance notice. The company's status page currently says, “We anticipate being up soon, and will provide updates as soon as possible.” Despite earlier assurances, the outage disrupted thousands of schools. See how this affects exams.

Why is this attack especially damaging for students and faculty?

The timing couldn't be worse. Many schools and universities are in the middle of final exams, and Canvas is critical for submitting assignments, accessing grades, and communicating with instructors. A prolonged outage can hinder academic progress and cause stress for students. Even if the stolen data lacks highly sensitive information, the disruption to learning and evaluation processes is severe. Institutions face reputational risks and potential legal consequences if data is leaked.

What should students and faculty do to protect their information?

Users should change their Canvas passwords if they haven't already and enable multi-factor authentication when available. Be wary of phishing emails that may reference the breach. Monitor official communications from your school or university. If you used the same password for other accounts, update those too. Avoid clicking links in unsolicited messages. Instructure said no financial or government IDs were compromised, but remain vigilant for identity theft attempts.

Is Canvas back online now, and what is the current status?

As of the latest update, Canvas remained offline with a maintenance message. Instructure has not provided a specific restoration timeline but continues to investigate. The attack forced a shutdown to prevent further defacement and to secure the platform. Students and faculty should check their institution's alternative communication channels for updates on classwork and exams. The company is working with law enforcement and cybersecurity experts to resolve the issue.