New Canvas Hack Ransomware Attack Sparks Security Crisis

Higher education has long been a prime target for ransomware gangs and data extortion attacks, but the recent breach of the widely adopted Canvas learning platform marks an unprecedented disruption. When Instructure, the education tech company behind Canvas, placed the system into “maintenance mode” on Thursday, it triggered chaos at thousands of schools across the United States, many of which were juggling finals and end-of-year assignments.

The attackers, operating under the recognizable moniker ShinyHunters, have been advertising the breach and attempting to extort a ransom from Instructure since May 1. Yet the situation became a pressing crisis for ordinary students and faculty on Thursday, as the Canvas downtime left classrooms and campuses scrambling. Universities including Harvard, Columbia, Rutgers, and Georgetown sent out alerts to their communities, and school districts in at least a dozen states also reported impacts. On the hackers’ dark web ransom site, they claim the breach affected more than 8,800 schools, though the full scale and reach of the incident remain unclear. The prolonged outage throughout Thursday afternoon and evening only deepened the confusion.

In a running incident log updated since May 1, Steve Proud, Instructure’s chief information security officer, acknowledged that the company had “recently experienced a cybersecurity incident perpetrated by a criminal threat actor.” By May 2, he confirmed that the compromised data for “users at affected institutions” included names, email addresses, student ID numbers, and messages exchanged on the platform. The incident was initially marked as “Resolved” on Wednesday, with Proud stating that “Canvas is fully operational, and we are not seeing any ongoing unauthorized activity.” However, by midday Thursday, the Instructure status page reported an “issue” with login difficulties for Student ePortfolios. Within hours, the company placed Canvas, Canvas Beta, and Canvas Test into maintenance mode. Late Thursday evening, Canvas was restored “for most users.”

According to TechCrunch, the hackers launched a secondary wave of attacks, defacing some schools’ Canvas portals by injecting an HTML file to display their own message on login pages. The Harvard Crimson reported that attackers altered the Harvard Canvas login page to show a list of schools they claimed were impacted, urging those institutions to “consult with a cyber advisory firm and contact the group privately to negotiate a settlement before the end of the day on May 12,or else risk their data being leaked.” It remains unclear what specific information tied to Harvard affiliates was exposed.

Instructure did not immediately respond to a request for comment about Thursday’s outages or how they fit into the broader breach narrative. Still, the incident is significant because a massive trove of student information has potentially been exposed, and the nationwide visibility of the disruption makes it a stark example of the escalating problem of data extortion and ransomware attacks in education.

The ShinyHunters name has been linked to massive data dumps and the infamous hacker collective known as the Com, but the constellation of actors has shifted over the years. Numerous attackers have adopted prominent Com-related monikers, and recent attacks have also invoked names like Lapsus$, often with little or no connection to the original groups that operated under them.