ShinyHunters Breaches Instructure Canvas, Disrupting Thousands of US Schools During Finals

A cyberattack disrupted Canvas, the web-based learning platform owned by Instructure and used by universities and K-12 schools, shutting it down during final exams season as students and teachers across the US and beyond scrambled for alternatives.

Instructure said Canvas was available again “for most users,” while Canvas Beta and Canvas Test remained in maintenance mode, and the outage had already forced some schools to cancel or reschedule exams.

6abc Philadelphia

The hacking group ShinyHunters claimed responsibility and, in a message reported by TIME, said “ShinyHunters has breached Instructure (again),” after warning schools to negotiate a settlement.

Luke Connolly, a threat analyst at Emisoft, told the Associated Press that the group posted online that nearly 9,000 schools worldwide were affected, with billions of private messages and other records accessed.

Students described immediate fallout from the Canvas shutdown, including Melanie Topchyan, a senior at the University of California, Riverside, who told CNN, “It is a little bit of a freakout,” after missing a quiz.

At the University of Pennsylvania, Anish Garimidi said he was logged out of Canvas while trying to study, and he told CNN, “The biggest cause of fear and anxiety in me is

ABC13 Houston

Instructure’s response drew attention to how the company said it contained access and investigated the incident, with TIME quoting the company’s statement that it temporarily took Canvas offline “out of an abundance of caution.”

Luke Connolly also described ShinyHunters to the Associated Press as “a loose affiliation of teenagers and young adults based in the U.S. and the United Kingdom,” as schools posted guidance and students checked whether course materials were still accessible.

The breach raised concerns about personal information, with Instructure disclosing that names, email addresses, student ID numbers and messages among users could have been exposed, while it said it found no evidence that passwords, birth dates, government identification details or financial information had been accessed.

Instructure also said it had experienced “a cybersecurity incident perpetrated by a criminal threat actor,” and the company added that the breach had been “contained” as of May 2, even as some universities continued reporting outages.

ShinyHunters set deadlines tied to extortion, and the BBC reported that targeted threats began on Sunday with deadlines given on Thursday and 12 May, while Luke Connolly said discussions regarding extortion payments could be ongoing.

For universities, the stakes were immediate academic disruption and ongoing vigilance, with Penn State telling students “no one has access” to Canvas and that a “resolution” was unlikely “within the next 24 hours,” and the University of Sydney telling students “Canvas was unavailable” and instructing them not to attempt to log in.