Schools reach out to Canvas hackers as breach hits US classrooms, source says

A cybersecurity breach targeting Canvas, an educational platform used by nearly 9,000 schools worldwide, resulted in the theft of 6.65 terabytes of data, including student names, email addresses, and private messages between students and teachers. The hacking group ShinyHunters announced the breach in a May 3 post, listing affected schools and inviting institutions to negotiate to prevent data release. Some U.S. schools, including South Orange-Maplewood School District in New Jersey, confirmed unauthorized activity was detected on April 29, disrupting end-of-year tasks and final exams for students. Instructure, Canvas’s parent company, acknowledged the incident on May 1, stating that user names, email addresses, student IDs, and internal messages were compromised. By May 6, the company declared the situation resolved and restored full Canvas functionality, though Canvas Beta and Canvas Test remained in maintenance mode. ShinyHunters later posted a list of 1,400 affected schools, pressuring institutions to negotiate before releasing the data. The group removed its posts by May 7, citing no further comments. Students at multiple schools reported encountering a note from ShinyHunters upon logging into Canvas on May 7, directing them to the list of affected institutions. Instructure temporarily took Canvas, Canvas Beta, and Canvas Test offline before restoring access to Canvas four hours later. Montgomery County Public Schools in Maryland continued restricting access to Canvas out of caution, even after the company’s resolution statement. The breach impacted Canvas’s 30 million active users, spanning kindergarten through college levels. ShinyHunters, known for extortion campaigns, declined to comment on the incident, and Instructure did not respond to requests for further clarification. The breach underscored vulnerabilities in educational technology platforms as schools prepare for critical academic deadlines.