Instructure is facing mounting pressure after cybercrime group ShinyHunters hijacked Canvas login pages at hundreds of universities and threatened to release what it claims are hundreds of millions of stolen student records unless a ransom demand is met by 12 May.
The attack disrupted access to coursework and academic materials during finals week at major institutions including Harvard University, Columbia University, Princeton University, Georgetown University and University of Pennsylvania, as students logging into the Canvas platform found ransom notes replacing normal dashboards.
The incident has quickly escalated into one of the largest education-sector cybersecurity crises in recent years, potentially affecting institutions across the United States, Europe, Australia and New Zealand.
Canvas, the cloud-based learning management platform operated by Instructure, supports more than 30 million active users globally across over 8,000 educational institutions. The platform is widely used for coursework submissions, grading, messaging and exam preparation.
The company first disclosed a security breach on 1 May. Steve Proud, Instructure's chief information security officer, said at the time that a "criminal threat actor" had gained access to "certain identifying information," including names, email addresses, student ID numbers and user messages.
Proud stated there was "no evidence that passwords, dates of birth, government identifiers, or financial information were involved."
By 6 May, Instructure publicly declared the incident resolved. One day later, ShinyHunters launched a far more visible escalation.
According to reporting by TechCrunch, the group defaced login pages at roughly 330 universities, replacing sign-in portals with an extortion demand accusing Instructure of ignoring previous contact attempts.
"ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some 'security patches,'" the message stated.
Instructure responded by temporarily placing Canvas into maintenance mode globally while institutions scrambled to restore access for students in the middle of exam preparation.
Cybersecurity firm Halcyon said ShinyHunters claims to possess approximately 3.65 terabytes of stolen data tied to as many as 275 million records from 8,809 institutions. TechCrunch separately reported the group claimed the breach affected 231 million people. Neither estimate has been independently verified.
The alleged data cache reportedly includes:
- Student and faculty names
- Email addresses
- Internal Canvas messages
- Account records
- Institutional communication logs
At the University of Pennsylvania alone, the group claimed access to data tied to more than 306,000 users. The Daily Pennsylvanian reported it reviewed samples allegedly supplied by ShinyHunters.
Joshua Beeman, Penn's chief information officer, said the university was "collaborating with the affected vendor, industry professionals, and law enforcement to assess any potential impact."
ShinyHunters has built a reputation over several years for large-scale data theft and extortion campaigns. Threat intelligence researchers describe the collective as a decentralized but highly sophisticated cybercrime operation that previously targeted cloud platforms, corporate databases and enterprise software vendors.
Halcyon noted the group follows a consistent "pay or leak" model that relies not on ransomware encryption but on threatening to publicly dump stolen information if victims refuse to negotiate.
Security analysts say the Canvas attack reflects an evolution in strategy. Rather than targeting a single university directly, the hackers compromised a third-party infrastructure provider used simultaneously by thousands of schools.
The practical impact has already spread far beyond IT departments. Students across multiple campuses reported being unable to retrieve assignments, lecture notes and study materials during final exams.
Anish Garimadi, a junior at the University of Pennsylvania, told CNN that losing access to Canvas created "fear and anxiety," adding that "the biggest cause of fear and anxiety in me is that I was deprived of significant resources to study."
Faculty members at several schools reportedly shifted to email and alternative platforms to distribute coursework while access issues persisted.
Halcyon warned institutions to assume compromise regardless of whether any ransom is ultimately paid. The firm advised universities to rotate Canvas API keys, OAuth tokens and single sign-on credentials immediately, while preparing for phishing campaigns using stolen academic information to impersonate school administrators, financial aid offices and IT support teams.
