Educational institutions across the United States and around the world are dealing with fallout from a large-scale breach of the Canvas learning management system that reportedly exposed names, email addresses and private communications among students, faculty and staff.
The hacking group ShinyHunters announced in a May 3 post on its website that it had taken approximately 6.65 terabytes of Canvas-related data connected to almost 9,000 schools globally. The group said the material included student names, email addresses and private messages exchanged between students, teachers and other personnel.
According to a person familiar with the incident, a number of affected schools and universities attempted to engage directly with the hackers in private to dissuade them from publishing the data. That outreach was reportedly carried out on an individual basis by the institutions, rather than through the Canvas parent company.
ShinyHunters later posted on May 5 that the Canvas parent company, Instructure, "had not even bothered speaking to us" to try to keep the data from being released, and that the group's financial demand "was not even as high as you might think it is." That posting included a list of roughly 1,400 specific schools and district accounts and invited those institutions to contact the group to negotiate and prevent posting.
Student-run publications and campus reports have described widespread disruption as learners prepare for end-of-year assignments and final examinations. One campus newspaper noted that the incident interfered with students attempting to study for finals, and students at multiple schools reported finding a note from ShinyHunters when they tried to log into Canvas on May 7, including a link to the list of affected institutions.
Instructure initially disclosed on May 1 via its support site that it was investigating a cybersecurity incident. A follow-up post signed by Chief Information Security Officer Steve Proud on May 2 said the "information involved" in the incident included Canvas user names, email addresses, student ID numbers and messages among users.
On May 6 the company posted an update saying the situation had been resolved and that Canvas was fully operational. Despite that, Instructure temporarily took Canvas, Canvas Beta and Canvas Test offline after the May 7 reports of the ShinyHunters note; Canvas access was restored about four hours later, while Canvas Beta and Canvas Test remained in maintenance mode according to the company's support site.
ShinyHunters removed the two initial messages from its website by May 7 and replaced them with a statement saying it was "not commenting and have no further comment to make regarding this global incident." A representative of the group declined to answer questions sent via online chat.
Extortion and ransomware operators commonly take claims about victims down from public sites for a variety of reasons, including situations where a target has paid or is engaged in direct negotiations, although the group did not specify motivations for removing the posts in this case.
District-level responses to the incident varied. A letter to parents from the South Orange-Maplewood School District indicated the breach occurred on April 25 and that Instructure detected unauthorized activity on April 29. In Maryland, Montgomery County Public Schools informed students, staff and families that while Canvas was returning to service, the district would continue to restrict access out of an abundance of caution until all services were reviewed and confirmed safe for use.
Instructure did not respond to a request for comment. The company reports that Canvas supports some 30 million active users ranging from kindergarten through college age.
The incident highlights the sensitivity of data held by learning management systems and the operational impact when those platforms are targeted. Institutions coordinating examinations, final projects and other time-sensitive academic processes were among those reporting interruptions, and several schools pursued direct engagement with the attackers in attempts to stave off publication of stolen records.
As this situation evolves, affected schools and districts appear to be balancing rapid restoration of educational services with additional cautionary steps to review system safety. The sequence of posts by the hacker group, the individual outreach by schools and the temporary service outages together illustrate the complex response challenges posed when a widely used education platform suffers a reported data exfiltration incident.