Canvas Is Back Online. The Damage to Millions of Students May Last Much Longer.

The criminal extortion group ShinyHunters claimed responsibility last week for a cyberattack on Instructure, the parent company of Canvas, the widely used learning management platform serving more than 30 million active users at over 8,000 institutions globally. 

Canvas is the most widely adopted LMS in North American higher education, used by 41% of institutions on the continent, according to the company. The breach disrupted students and faculty at schools ranging from Harvard, MIT, Columbia, Princeton and Georgetown to K–12 districts across at least a dozen states, including California, Texas, Florida, Georgia and Wisconsin.

Instructure first detected unauthorized activity on April 29 and disclosed a cybersecurity incident on May 1. The company said the situation had been contained by May 2, though it acknowledged that names, email addresses, student ID numbers and private messages among users had been exposed. On May 7, ShinyHunters struck again, replacing Canvas login pages with a ransom note that declared the group had “breached Instructure (again)” — a reference to a prior attack in September 2025 — and accused the company of responding to that incident by applying “security patches” rather than negotiating. 

The group claimed access to 275 million individuals’ data and threatened to leak “several billions of private messages” unless paid. A May 12 deadline was set for affected schools to negotiate settlements.

Instructure subsequently took Canvas offline to investigate, confirmed the exploit was tied to its Free-For-Teacher accounts, and permanently shut down that program. Canvas was restored on May 8. The FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) were notified. Instructure said there is no evidence that passwords, dates of birth, government identifiers or financial information were involved.

The disruption hit at a particularly bad time — finals week — forcing universities to extend deadlines, rework exam schedules and scramble for alternate platforms. Houston ISD stood up a temporary Google site for curriculum access. Arizona State University said the incident rendered Canvas “inaccessible.” The impacts extended internationally, with universities in Australia, the United Kingdom and Canada also affected.

What experts say schools must do now

Brandon Blankenship, CISO of ProCircular, a Midwest-based cybersecurity consulting firm that has been closely monitoring the breach and has created a GitHub-based Canvas breach customer lookup tool, said the incident follows a recognizable and troubling trajectory. 

“The Canvas breach is a reminder that shared infrastructure risk is institutional risk,” Blankenship said. “When a platform serving 41% of North American higher education is compromised, every tenant becomes a potential extortion target, regardless of their own security posture. We saw this play out after the PowerSchool incident in 2024, and we expect the same pattern here.”

Blankenship was direct about what institutions should not do. “A ransom payment has never guaranteed data deletion,” he said. “The path forward is proactive auditing, pre-established incident response protocols, and a firm organizational stance against negotiation before a threat ever arrives.”

He also cautioned that vendor-level credential rotation is not enough. “Credential rotation at the vendor level does not eliminate persistence mechanisms inside your own tenant.”

Mark Stockley, cybersecurity evangelist at ThreatDown, described the scale of the attack in stark terms. “The infrastructure breach is a devastating attack on the nation’s school system, and a wake-up call to how outmatched many of our institutions are in the face of global cybercrime,” Stockley said. “This is extortion at a scale that should alarm every parent, educator, and policymaker in the country.”

Stockley pointed to identity compromise as both the likely entry point and a systemic vulnerability. “Nearly 30% of breaches start with some form of stolen identity, and ShinyHunters’ attack was likely due to social engineering,” he said — an assessment consistent with reporting that ShinyHunters has historically used voice phishing and social engineering for initial access. 

Stockley argued the mismatch between institutional resources and criminal sophistication is not an accident. It is an opportunity adversaries actively exploit. “It is unrealistic to have the expectation that every school has a SOC in place,” he said, “but the uncomfortable reality is that — with such a significant rotation in identities — schools, and U.S. schools in particular, are only going to be targeted more. It is an easy ROI for cyber adversaries.”

The solution, Stockley said, is non-negotiable. “Every school needs 24/7 protection capable of detecting attackers abusing trusted identities and legitimate system tools to move undetected through networks.” 

He sees the current moment as a turning point that the education sector can no longer defer. “This is education's Colonial Pipeline moment — the one that finally forces a reckoning.”

As of May 11, Instructure had not publicly disclosed whether any ransom negotiations are underway. The full scope of exposed data remains under investigation.