Skip to content

Canvas Platform Taken Offline by Extortion Attack

The point: The Canvas learning platform was taken offline after a cybercriminal gang claimed to possess data from 275 million users across nearly 9,000 educational institutions in an extortion attack.

A cybercriminal gang has disrupted the Canvas learning platform with an extortion demand and threatened to publish data from 275 million students and teachers across nearly 9,000 educational institutions. Operator Instructure took the platform offline, disrupting classes and exams nationwide.

The cybercriminal gang ShinyHunters defaced the Canvas platform’s login page with an extortion message, blocking access to schools and universities in the United States. Instructure previously confirmed a data breach and subsequently took the platform offline to prevent further disruption. The affected infrastructure is used by thousands of schools, universities, and companies to manage courses, assignments, and student communications.

ShinyHunters stated they first infiltrated Instructure systems on May 1 and initially demanded payment by May 6, later extending the deadline to May 12. According to Instructure’s statement on May 6, the stolen data included names, email addresses, student IDs, and messages between users. The company found no evidence of compromised passwords, birth dates, identification data, or financial information. However, ShinyHunters claims to have obtained multiple billion private messages and phone numbers. The timing is particularly unfortunate for Instructure: many affected schools and universities are currently conducting final exams, and extended downtime could cause substantial damage.

According to sources familiar with the investigation, several universities have already negotiated directly with ShinyHunters over ransom payments. Evidence of successful or ongoing negotiations includes the fact that the cybercriminal group has removed Instructure from its leak website and sample data from Canvas customers is no longer visible — a pattern typically exhibited by extortion groups following ransom payments or when negotiations begin. The extortion message on the login page also urged schools to conduct their own negotiations independently of Instructure’s decisions to protect their data.

Instructure labeled the downtime on its status page as “scheduled maintenance” — a characterization that security experts criticized. Dipan Mann, CEO of security firm Cloudskope, accused the company of obscuring the actual cause, given that ShinyHunters had already demonstrated an initial breach on May 1.


Source: ainews-dev.lumi-systems.io · Published May 19, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrasing and classification via Lumi News Pipeline v1.5.2.

Share on: