During final exams, the learning management system 'Canvas' became temporarily unavailable at a school after a criminal group, ShinyHunters, launched a blackmail attack threatening to leak data from approximately 9,000 institutions.
The learning management system 'Canvas,' used by schools and universities for distributing course materials, submitting assignments, managing grades, and facilitating communication between teachers and students, was temporarily unavailable at schools and universities across the United States due to a data extortion attack by the cybercrime group 'ShinyHunters.'
Instructure Status - Confirmed Security Incident
Canvas Breach Disrupts Schools & Colleges Nationwide – Krebs on Security
https://krebsonsecurity.com/2026/05/canvas-breach-disrupts-schools-colleges-nationwide/
Canvas login portals hacked in mass ShinyHunters extortion campaign
https://www.bleepingcomputer.com/news/security/canvas-login-portals-hacked-in-mass-shinyhunters-extortion-campaign/
Canvas outage wreaks havoc for students during college finals | AP News
https://apnews.com/article/canvas-outage-college-students-exams-grades-209a51692f043a959459dbe37fb34e4b
Canvas is a widely used service for university lecture pages and online learning environments in elementary, middle, and high schools. Students read course materials, submit assignments, and participate in tests and discussions on Canvas. Instructors grade and communicate through Canvas, so if Canvas goes down, it's not just a 'website outage' but could potentially bring the entire class to a halt.
Instructure, the company that operates Canvas, detected the unauthorized access on April 29, 2026, and began an investigation. As of May 2, Instructure stated that the information that may have been stolen included identification information such as names, email addresses, and student ID numbers, as well as messages between users. However, they stated that they had not found any evidence that more sensitive information, such as passwords, dates of birth, government-issued IDs, or financial information, was included.
Instructure initially stated that the issue had been contained and Canvas was operating normally, but on May 7th, ShinyHunters messages began appearing on the login screen. Instructure explained that after some users saw malicious messages on their screens on May 7, 2026, they switched Canvas to maintenance mode for investigation and containment.
The Canvas login page displayed a ransom demand message from an attacker calling themselves ShinyHunters, threatening to leak data from students and faculty at approximately 9,000 educational institutions. Because the outage occurred during the final exam period for many schools in the United States, some universities reported disruptions to exams and assignment submissions.
ShinyHunters is a cybercrime group known for stealing data and demanding ransoms from companies and organizations. In this attack, the attackers not only demanded payment from Instructure but also reportedly urged affected schools to 'negotiate individually if they wish to avoid data disclosure.' The payment deadline was initially set for May 6th, but was later extended to May 12th. The attackers claim that data from approximately 9,000 schools and 275 million people is involved, but the number of people and the amount of data claimed by the attackers have not yet been independently verified.
Instructure has cited a vulnerability in support tickets for its 'Free for Teacher' environment, which allows educators to use Canvas for free, as one of the causes of the unauthorized access. Instructure explained that the unauthorized access detected on April 29 and the unauthorized access on May 7 were related to the same issue, and temporarily suspended Free For Teacher accounts. Furthermore, it stated that it has implemented measures such as invalidating authoritative credentials and access tokens, rotating internal keys, restricting token creation paths, and strengthening monitoring. It also stated that it has hired CrowdStrike as an external forensic investigation firm and has notified the FBI, CISA, and international law enforcement agencies.
Instructure's response has also drawn criticism for its explanations. Security media outlet KrebsOnSecurity criticized Instructure for displaying the portal as 'scheduled maintenance' after Canvas displayed the attacker's message. Dipan Mann of security firm Cloudskope criticized the response for making the attack-induced downtime appear as scheduled maintenance, pointing out that the explanation that the system was 'contained' on May 2nd was inconsistent with the re-intrusion on May 7th. However, in an update on May 9th, Instructure apologized to users for 'failing to provide more consistent communication' and stated that it would publish confirmed information on a dedicated incident update page in the future.
ShinyHunters is a group that has been named in the past for large-scale data theft and extortion, and is known to often infiltrate companies using voice phishing and social engineering, impersonating IT personnel. ShinyHunters has claimed to have attacked ADT, Medtronic, Rockstar Games, McGraw Hill, 7-Eleven, and Carnival, among others. Charles Carmakal of Google's cybersecurity firm Mandiant Consulting declined to comment specifically on the Canvas case, but stated that multiple intrusion and extortion campaigns by ShinyHunters are ongoing simultaneously.
In
Related Posts:
in Web Service, Security, Posted by log1d_ts