Canvas Cyberattack Disrupts Schools After Student Data Theft
Schools and universities affected by a major cyberattack involving the educational platform Canvas have reportedly contacted hackers in an effort to prevent stolen student data from being released online.
The breach, linked to the hacking group ShinyHunters, has disrupted educational institutions across the United States during a critical period as students prepare end-of-year assignments and examinations. Canvas, widely used by schools and universities, supports coursework, communication, and information sharing between students and faculty.
ShinyHunters claimed in a May 3 post that it had stolen around 6.65 terabytes of Canvas-related data connected to nearly 9,000 schools worldwide. The group said the data included student names, email addresses, student identification numbers, and private messages exchanged between students, teachers, and staff.
Schools Seek To Limit Data Exposure
According to a source familiar with the matter, some educational institutions whose data was compromised have reached out directly to the hackers in hopes of preventing the publication of sensitive information.
The hacking group also publicly accused Canvas parent company Instructure of failing to negotiate following the breach. In a May 5 message posted online, ShinyHunters claimed the company “had not even bothered speaking to us” and suggested the demanded payment was lower than expected.
Additionally, the group published a list of around 1,400 schools and districts allegedly affected by the incident. Schools were invited to contact the hackers directly to negotiate and stop the release of data.
However, ShinyHunters later removed both online messages on May 7 and replaced them with a statement saying the group would make no further comment regarding the incident.
Instructure Responds To Security Incident
Instructure confirmed in early May that it was investigating a cybersecurity incident involving Canvas. The company later acknowledged that affected information included usernames, email addresses, student ID numbers, and messages between users.
The company’s Chief Information Security Officer, Steve Proud, stated that the issue had been identified and addressed. By May 6, Instructure announced that Canvas was fully operational again.
Nevertheless, students at several schools reported seeing a message from ShinyHunters when attempting to log into Canvas on May 7. The message included a link to the list of affected institutions.
Shortly afterwards, Instructure temporarily took Canvas, Canvas Beta, and Canvas Test offline. The main Canvas service returned within four hours, although Canvas Beta and Canvas Test remain under maintenance.
An Instructure spokesperson later explained that the hackers had altered pages visible to some logged-in students and teachers.
Free-For-Teacher Service Linked To Breach
According to the company, attackers exploited an issue connected to Canvas’ Free-for-Teacher service. This feature allows non-Canvas users to access selected parts of the platform for testing and educational purposes.
Instructure temporarily shut down the service while restoring system access. The company said this action helped secure the platform and enabled the safe return of core Canvas operations.
Meanwhile, the FBI confirmed on Friday that it was aware of a cyber incident affecting the U.S. education system, although the agency did not directly identify Canvas.
Several school districts have continued limiting access to the platform as a precaution. Montgomery County Public Schools in Maryland informed students and staff that services were being restored gradually while systems underwent further safety reviews.
Additionally, a notice sent to parents in New Jersey’s South Orange-Maplewood School District stated that the breach occurred on April 25 and that suspicious activity was detected four days later.
Canvas currently serves around 30 million active users ranging from kindergarten students to university-level learners, according to Instructure.
With inputs from Reuters
