Canvas Data Breach Disrupts U.S. Schools During Finals: Everything You Need to Know

A major cybersecurity incident hit the Canvas learning management system, used by thousands of U.S. schools and universities. The attack disrupted classes and final exams after a cybercriminal group defaced the login page with a ransom demand. Here we break down what happened, who is responsible, and how it affects students and faculty.

What exactly happened in the Canvas breach?

On May 7, 2025, users of the Canvas platform were greeted by a ransom message instead of the usual login page. The message, posted by the cybercrime group ShinyHunters, demanded payment to prevent the leak of stolen data. Canvas parent company Instructure quickly took the platform offline, replacing the login page with a notice about scheduled maintenance. The outage came just days after Instructure acknowledged a data breach, making the defacement a dramatic escalation. Schools and colleges across the country reported being unable to access course materials, submit assignments, or communicate with students and teachers. The disruption was especially painful as many institutions were in the middle of final exams.

Who is ShinyHunters and why did they target Canvas?

ShinyHunters is a cybercrime group known for large-scale data breaches and extortion attacks. They claimed responsibility for the Canvas incident, stating they had stolen data on 275 million users from nearly 9,000 educational institutions. The group originally set a ransom deadline of May 6, later extended to May 12. In their defacement message, they urged affected schools to negotiate separate ransom payments to prevent their data from being published. ShinyHunters has a history of targeting education and technology platforms, often demanding payment in cryptocurrency. Their motivation appears to be financial gain, leveraging the sensitive nature of student and faculty data.

What data was stolen in the Canvas breach?

According to Instructure, the stolen information includes names, email addresses, and student ID numbers, as well as messages exchanged between users. The company stated that no evidence of more sensitive data—such as passwords, dates of birth, government identifiers, or financial information—was compromised. However, ShinyHunters claims to have billions of private messages, along with phone numbers and email addresses. The discrepancy between the company's assessment and the hackers' claims has caused concern among users. While the stolen data may not include highly sensitive financial or login credentials, the exposure of personal communications and identifiers still poses privacy risks and could be used for phishing or social engineering attacks.

How did Instructure respond to the attack?

Instructure took immediate action by disabling the Canvas platform after the defacement appeared. They replaced the login page with a message stating, “Canvas is currently undergoing scheduled maintenance. Check back soon.” Their status page indicated they anticipated being back online soon and would provide updates. Earlier in the week, Instructure had acknowledged the breach and stated that the incident appeared contained. The company said they found no ongoing unauthorized activity at that time. However, the defacement contradicted that claim, forcing a more aggressive response. Instructure continues to investigate and is working with law enforcement and cybersecurity experts to restore services securely. The outage disrupted millions of users, and the company faces scrutiny over its handling of the breach.

Why is the timing of the Canvas breach particularly damaging?

The attack struck during a critical period for schools and universities: final exams. Many institutions rely on Canvas to administer tests, accept assignments, post grades, and communicate last‑minute exam details. A prolonged outage could prevent students from submitting final projects or accessing study materials, potentially delaying graduation or causing academic penalties. For faculty, the loss of a centralized platform makes grading and communication chaotic. The disruption also damages trust in Canvas as a secure platform for sensitive academic data. Instructure risks losing customers if schools switch to alternative systems. The financial impact could be significant, not only from ransom demands but also from reputational harm and potential legal liabilities. The breach highlights the vulnerability of educational technology to cyberattacks at the worst possible times.

What did the extortion message on Canvas say?

The ransom message displayed on the Canvas login page instructed affected schools to negotiate their own ransom payments directly with ShinyHunters to prevent the publication of their data. The hackers threatened to leak information from 275 million users across thousands of institutions if their demands were not met. The message appeared regardless of whether Instructure itself paid a ransom. This tactic—known as double extortion—applies pressure not only on the platform provider but also on individual customers. The defacement was unexpected, as Instructure had previously stated the breach was contained. The message shocked students and teachers who rely on Canvas daily, turning a normal login attempt into a distressing encounter with cybercrime.

What should schools and students do after the Canvas breach?

In light of the breach, educational institutions should immediately notify all users about the incident and advise them to be wary of phishing emails or suspicious messages that might use stolen information. Users should change passwords for Canvas and any other accounts that share the same credentials, even though Instructure said passwords were not compromised. Schools may consider temporarily disabling direct messaging within Canvas to reduce exposure. It is also prudent for institutions to assess their own security practices and consider multi‑factor authentication for staff accounts. Students and faculty should monitor their own accounts for unusual activity and report any suspected data misuse. Long term, schools may need to revisit their data protection agreements with vendors like Instructure and explore backup platforms for critical academic functions during outages.