Nationwide Canvas Outage: Q&A on the Massive Data Extortion Attack
In early May 2025, the educational platform Canvas, used by thousands of schools and universities across the United States, was hit by a severe data extortion attack. The cybercriminal group ShinyHunters defaced the login page with a ransom note, threatening to leak data on 275 million students and faculty from nearly 9,000 institutions. Parent company Instructure initially disabled the platform to contain the breach, later confirming that names, email addresses, and student IDs were compromised—but not passwords or financial details. The attack disrupted classes and final exams nationwide. Below are answers to key questions about this incident.
What exactly happened during the Canvas breach?
On May 7, 2025, users attempting to log into Canvas were greeted by a ransom demand from the cybercrime group ShinyHunters instead of the usual login page. The group claimed to have stolen data on 275 million students and faculty from nearly 9,000 schools, colleges, and universities. Instructure, Canvas's parent company, had already disclosed a data breach earlier that week. In response to the defacement, Instructure pulled the platform offline, replacing it with a “scheduled maintenance” message. The outage continued for several hours, disrupting coursework, assignment submissions, and communication between teachers and students.
Who is behind the attack and what are they demanding?
The attack was carried out by ShinyHunters, a well-known cybercriminal group specializing in data breaches and extortion. They claimed responsibility for the Canvas breach and threatened to publish the stolen data unless a ransom was paid. Initially, the deadline for payment was set to May 6, 2025, but it was later extended to May 12. The extortion message also encouraged individual affected institutions to negotiate their own ransom payments with the group, suggesting that schools might pay to prevent their specific data from being leaked, regardless of whether Instructure paid a global ransom.
How many users and institutions are affected?
According to ShinyHunters, the breach impacts approximately 275 million individuals—students, faculty, and staff—across nearly 9,000 educational institutions that use Canvas. This includes K-12 school districts, colleges, universities, and some businesses that rely on the platform for learning management. While the exact number of confirmed victims varies, the scale is massive, affecting millions of people nationwide. The breach is one of the largest ever targeting the education technology sector.
What type of data was stolen, and how sensitive is it?
Instructure’s official statement from May 6, 2025, indicated that the stolen information includes “certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users.” ShinyHunters claims the haul also includes several billion private messages and phone numbers. However, Instructure found no evidence that passwords, dates of birth, government IDs, or financial data were taken. While the exposed data is not highly sensitive like Social Security numbers for many, the combination of names, IDs, and private messages could fuel identity theft and phishing attacks.
How did Instructure respond to the incident?
Instructure responded by first taking Canvas offline to prevent further defacement and unauthorized access. They replaced the login portal with a “scheduled maintenance” notice and posted updates on their status page, stating they anticipated being back soon. In a May 6 update, the company said “the incident has been contained,” and they were not seeing ongoing unauthorized activity. They also launched an investigation and notified law enforcement. However, the subsequent defacement on May 7 forced them to extend the outage, causing major disruption for schools in the middle of final exams.
Why is the timing of this outage particularly damaging?
The attack came at an especially critical time for many schools and universities: final exams and end-of-year assessments were underway. A prolonged Canvas outage prevented students from submitting assignments, accessing study materials, or communicating with teachers through the platform. For educators, grading and finalizing student records were delayed. The disruption also raised concerns about the security and reliability of cloud-based learning tools, which have become essential since the pandemic. If the outage continues, it could lead to postponed exams, academic calendar disruptions, and reputational harm for Instructure.
What should affected students and faculty do now?
Affected users should watch for official updates from their institution and from Instructure regarding system restoration. They should also be alert for phishing emails or messages that might exploit the breach—cybercriminals often use stolen names and email addresses to craft convincing scams. Students and faculty can also check with their school’s IT department about alternative ways to submit final assignments or access course materials. Changing passwords for other accounts that share the same email address is advisable, even though passwords were not compromised in this breach. Individuals concerned about identity theft can monitor their credit reports or use identity theft protection services.
Will the data be leaked, and what are the next steps?
As of the latest updates, ShinyHunters has not yet published the stolen data, but the ransom deadline was extended to May 12, 2025. The group may still release the information if no payment is made. Instructure has not indicated whether they plan to pay the ransom. Individual schools and universities may choose to negotiate separately, as suggested by the extortion note. Moving forward, Instructure will likely implement stronger security measures, and the incident may prompt broader regulatory scrutiny of data protection in educational technology. Meanwhile, affected institutions are preparing contingency plans for their academic schedules.