Canvas breach halts classes across U.S. schools and colleges

Canvas breach forces nationwide class shutdowns

Early Thursday morning, a data‑extortion operation hijacked the login portal of Instructure’s Canvas platform, leaving students and faculty at ↓ 9,000 schools unable to submit assignments or access grades. The ransom note, posted by the ShinyHunters group, warned that data belonging to ↓ 275 million users could be published unless a payment was made.

How the breach unfolded

Instructure initially reported a breach on May 6, claiming only names, email addresses and student IDs had been exposed. Later that day, users were greeted by a defaced login screen demanding cash, prompting the company to pull Canvas offline and replace it with a generic “scheduled maintenance” banner.

“We are working around the clock to restore service and will communicate directly with affected institutions,” Instructure said on its status page.

The group’s extortion message urged each school to negotiate its own payout, sidestepping any corporate response. Sources close to the investigation told Reuters that several universities have already opened negotiations.

Security analyst Dipan Mann of Cloudskope blasted Instructure for downplaying the incident as routine maintenance. He noted that this is at least the third Canvas intrusion by ShinyHunters in eight months, following a 2025 breach of University of Pennsylvania data that was later linked to the same platform.

ShinyHunters, a notorious extortion gang, typically gains entry via voice‑phishing attacks on single‑sign‑on services. Recent campaigns have hit ADT, Medtronic and Carnival, according to Bloomberg.

With final exams in progress, the outage threatens to disrupt grading cycles and could force institutions to adopt emergency assessment methods, echoing challenges first seen during the pandemic when many schools shifted to remote learning.

Instructure announced on May 8 that Canvas is back online, but the company has permanently disabled “Free‑for‑Teacher” accounts, the vector allegedly exploited in the attack. A formal notice was sent to affected organizations on May 6, and the firm warned against relying on unverified third‑party lists.

Words by Nova Stirling (Aerospace & Space Tech Correspondent).