Higher education has long been a target of ransomware gangs and data extortion attacks. But rarely has a cyberattack against a single software platform so thoroughly disrupted the daily operations of thousands of schools across the United States. The widely used digital learning platform **Canvas** was put into “maintenance mode” on Thursday after its maker, the education tech giant **Instructure**, suffered a data breach and faced an extortion attempt by attackers using the recognizable moniker **ShinyHunters**. Though the hackers have been advertising the breach and attempting to extract a ransom payment from **Instructure** since May 1, the situation took on additional immediacy for regular people across the US and beyond on Thursday because the **Canvas** downtime caused chaos at schools, including those in the midst of finals and end-of-year assignments. ### Impact on Educational Institutions Universities like **Harvard**, **Columbia**, **Rutgers**, and **Georgetown** sent alerts to students about the situation in recent days; other institutions, including school districts in at least a dozen states, also appear to have been affected. In a list published by the hackers behind the attack on their ransom-focused dark-web site, they claim the breach affected more than 8,800 schools. The exact scale and reach of the breach is unclear, though. And the fact that **Canvas** was down throughout Thursday afternoon and evening further complicated the picture. In a running incident update log that began on May 1, **Steve Proud**, **Instructure**'s chief information security officer, said that the company had “recently experienced a cybersecurity incident perpetrated by a criminal threat actor.” He added on May 2 that “the information involved” for “users at affected institutions” included names, email addresses, student ID numbers, and messages exchanged by users on the platform. The situation was ultimately marked as “Resolved” on Wednesday, with **Proud** writing that “**Canvas** is fully operational, and we are not seeing any ongoing unauthorized activity.” At midday on Thursday, though, the **Instructure** status page registered an “issue” where “some users are having difficulties logging into Student ePortfolios.” Within a few hours, the company had added another status update: “**Instructure** has placed **Canvas**, **Canvas** Beta, and **Canvas** Test in maintenance mode.” Late Thursday evening, the company said that **Canvas** was available again “for most users.” ### Defacement and Extortion Tactics TechCrunch reported on Thursday that the hackers launched a secondary wave of attacks, defacing some schools' **Canvas** portals by injecting an HTML file to display their own message on the schools' **Canvas** login pages. According to The Harvard Crimson, attackers modified the **Harvard** **Canvas** login page to show a message that included a list of schools that the hackers claim were impacted by the breach. The message from attackers “urged schools included on the affected list to consult with a cyber advisory firm and contact the group privately to negotiate a settlement before the end of the day on May 12—or else risk their data being leaked,” The Crimson reported. “It is unclear what information tied to **Harvard** affiliates was included in the alleged breach.” **Instructure** did not immediately respond to a request for comment about Thursday's outages and how they fit into the bigger picture of the breach. But the situation is significant given that a massive trove of student information has potentially been exposed, and the visibility of the incident across the country makes it a key example of a long-standing yet endlessly escalating problem of data extortion and ransomware attacks. ### The ShinyHunters Connection The **ShinyHunters** name is associated with massive data dumps and has been linked to the infamous hacker collective known as the **Com**. But as the constellation of actors has shifted over the years, numerous attackers have taken up the most prominent **Com**-related monikers. A number of recent attacks have invoked other names, such as **Lapsus$**, with little or no connection to the original group that operated under the name. In the case of **Canvas**, it is similarly unclear who is acting behind the **ShinyHunters** name. **Allison Nixon**, the chief research officer at cybersecurity firm Unit 221b who has closely tracked **ShinyHunters** and other ransomware groups, says the activity appears to be related to recent activity from a group of hackers sometimes referred to as ScatteredLapsus$Hunters. Earlier on Thursday, a dark-web site used by hackers operating under the **ShinyHunters** name to threaten and extort their targets listed both **Instructure** and the schools that use its software as victims, along with a note from the hackers complaining that **Instructure** hadn’t responded to its demands to negotiate a payment. “**Instructure** has not even bothered speaking to us to understand the situation or to even negociate [sic] with us to prevent the release of this data,” the statement read. “The Company seemingly does not care about all the students affected and the institutions impacted by this data breach.” By Thursday evening, however, those references to **Instructure** and its customers had disappeared from the site, which later became unresponsive. While ransomware gangs sometimes remove victims from their dark-web sites in response to their agreeing to pay a ransom, victims can also be removed by the hackers as a negotiating tactic, says **Nixon**. “This is often one of their manipulation tactics to try to encourage the victim to pay. So while they're negotiating or after they've paid, they might take that victim off the site, or depending on how negotiations go, they might put the victim back on,” **Nixon** says. She adds that, in the midst of those negotiations, **Com**-associated hacker groups have been known to escalate to more extreme coercive tactics to maximize the victim’s incentive to pay, including distributed denial of service attacks, flooding the company with phone calls and emails and even threatening executives’ families. “These kind of pressure tactics start to look a whole lot more just violent mafia rather than any kind of skilled hacker stuff,” **Nixon** says. The hackers in fact list numerous other victims on their dark-web site that have previously been reported as **ShinyHunters** targets, including **Amtrak**, **Harvard**, **University of Pennsylvania**, **Rockstar Games**, **Match**, **Hinge**, and **Bumble**, though WIRED couldn’t confirm whether those organizations had in fact been breached by this specific subgroup of the **Com**. **Nixon** warns that the hackers behind the **Canvas** attack have in fact used old or recycled data to exaggerate claims of breaches in the past. This latest attack and the disruption it has caused for schools across the country, however, are all too real—and represent a significant escalation from this particular ransomware gang. “It's noteworthy that a tiny number of repeat offenders can escalate for years to reach this point,” says **Nixon**. “It speaks to the systemic international issue of cybercrime and the need for governments around the world to set geopolitics aside and cooperate to stop those who extort money and prey on kids.”