A significant cyberattack has targeted Instructure, the parent organization of the popular Canvas learning management system, causing widespread disruptions for numerous schools and universities across the United States during a critical finals week. The cybercrime group known as ShinyHunters is believed to be behind this attack, having reportedly altered Canvas login pages at various institutions to display ransom messages. These messages threaten to release stolen student and institutional data by May 12 unless a settlement is reached.

According to reports, the hackers inserted harmful HTML files into the login portals of educational institutions, replacing standard Canvas pages with alarming warnings. Additionally, Instructure's website and the Canvas platform faced outages, often showing “too many requests” errors or “scheduled maintenance” alerts. This incident follows a previous announcement from Instructure regarding a data breach where hackers accessed names, email addresses, student ID numbers, and communications between students and teachers. Fortunately, the company stated that there was no indication that passwords, financial details, birth dates, or government IDs were compromised.

ShinyHunters has claimed responsibility for breaching nearly 9,000 educational institutions globally, acquiring data linked to hundreds of millions of users. The group has urged affected institutions to reach out via the encrypted platform TOX before the deadline to avoid data leaks.

As students prepared for final exams and assignment submissions, universities nationwide reported significant outages and disruptions. Indiana University indicated that instructors were unable to access grades or assignments during this crucial period, with university IT services confirming a “global outage” affecting Canvas. A warning message circulated within the Luddy School cautioned students that their accounts and credentials “may be compromised.”

Princeton University’s Canvas platform became inaccessible less than a day before final assessments were set to commence, prompting university officials to advise instructors to back up their gradebooks as a precautionary measure. Other institutions, including Harvard University, Duke University, Brown University, the University of California Irvine, University of Wisconsin-Madison, Penn State, Georgetown University, San Diego State University, and the University of Pennsylvania, also reported disruptions or acknowledged the breach. Some universities have cautioned students to be vigilant against phishing scams and suspicious emails that may utilize leaked information such as names, email addresses, messages, and student ID numbers.

ShinyHunters is a notorious black-hat hacking and extortion group believed to have emerged in 2019. This group has been associated with several significant cyberattacks and is recognized for its “pay or leak” approach, where stolen data is either ransomed back to the victims or publicly leaked if their demands are not met. ShinyHunters has consistently targeted educational platforms and companies, often making breaches public on dark web leak sites to coerce victims into paying settlements.