What we know about the Canvas hack impacting thousands of schools

A cyberattack on Canvas, a widely used education platform with over 30 million active users globally, disrupted access for thousands of US schools and universities on Thursday. The hacking group ShinyHunters claimed responsibility, posting a ransom note on affected institution pages, including those of Columbia, Princeton, Harvard, and Georgetown. Schools in multiple states, such as California, Florida, and Georgia, reported outages, forcing some to reschedule finals and distribute materials through alternative methods. The attack followed a May 1 cybersecurity incident involving Instructure, Canvas’s parent company, where the group accused the company of ignoring their demands after a previous breach. Instructure stated the breach was contained but acknowledged exposure of user names, email addresses, student IDs, and communications. ShinyHunters had previously targeted Ticketmaster and other high-profile organizations, using sophisticated tactics like voice phishing and fake login pages to steal data. By late Thursday, Instructure restored access for 'most users' after placing Canvas in maintenance mode for investigation. However, many institutions had already extended deadlines due to the disruption. This marks the second breach by ShinyHunters this month, with the group criticizing Instructure’s response to the earlier incident. ShinyHunters has been linked by cybersecurity researchers, including Mandiant (a Google-owned firm), to a pattern of data theft targeting cloud-based platforms. The group’s operations involve extortion, often selling stolen data on the dark web. The US Department of Justice has previously sentenced members of associated hacking crews to prison for their activities. Instructure has not yet provided further comment on the latest attack, though it confirmed the breach and its containment efforts. The disruption highlights ongoing risks to educational institutions relying on digital platforms for critical functions.