An ongoing data extortion attack targeting the widely-used education technology platform **Canvas** disrupted classes and coursework at school districts and universities across the United States today, after a cybercrime group defaced the service’s login page with a ransom demand that threatened to leak data from 275 million students and faculty across nearly 9,000 educational institutions.  **Instructure**, the parent firm of Canvas, responded to the defacement attacks by disabling the platform. Canvas is used by thousands of schools, universities, and businesses to manage coursework, assignments, and student communication. ### Initial Breach and Ransom Demand Instructure acknowledged a data breach earlier in the week after **ShinyHunters** claimed responsibility, threatening to leak data on tens of millions of students and faculty unless a ransom was paid. The initial deadline was May 6, later extended to May 12. In a statement on May 6, Instructure stated that the stolen data included “certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as as messages among users.” They found no evidence of more sensitive data compromise, such as passwords or financial information. The company initially claimed the incident was contained. However, by May 7, users reported seeing ShinyHunters' ransom demand on the Canvas login page, prompting Instructure to take the platform offline. ### Extortion Tactics and Potential Impact The extortion message urged affected schools to negotiate ransom payments to prevent data publication, regardless of Instructure's actions. A source close to the investigation indicated that some universities have already contacted ShinyHunters. The group also removed Instructure from their data leak blog, suggesting potential negotiations or payments. ### Cloudskope's Critique **Dipan Mann**, founder and CEO of **Cloudskope**, criticized Instructure for labeling the outage as "scheduled maintenance." Mann highlighted that this is at least the third breach of Instructure by ShinyHunters in the past eight months. He pointed to a September 2025 incident where ShinyHunters released University of Pennsylvania files through a Canvas/Instructure-mediated access path. Mann argues that the previous incident was a proof of concept, and the current events represent an escalation of the attack pattern. ### ShinyHunters' Modus Operandi ShinyHunters is known for data theft and extortion, often gaining access through voice phishing and social engineering, impersonating IT personnel. Last month, they targeted **ADT**, stealing personal information on 5.5 million customers by compromising an employee's **Okta** single sign-on account. They have also claimed responsibility for attacks against **Medtronic**, **Rockstar Games**, **McGraw Hill**, **7-Eleven**, and **Carnival**. ### Mandiant's Assessment **Charles Carmakal**, CTO at **Mandiant Consulting**, noted that ShinyHunters is currently running multiple concurrent intrusion and extortion campaigns. ### Instructure's Response and Future Implications Cloudskope's Mann suggests that the outcome depends on whether Instructure's customers pressure the company or absorb the breach quietly. **Update:** Instructure has since published an incident update, stating that Canvas is operational again and that the hackers exploited an issue related to Free-for-Teacher accounts. They have temporarily shut down these accounts and notified affected organizations.