An attack on the popular Instructure Canvas learning management system has caused major disruptions for schools and universities in the US, just as students gear up for finals. This poses a serious threat to the personal data of millions of students and teachers.
Multiple institutions reported outages affecting the web-based Canvas platform on Thursday, with users encountering ransom messages posted directly to school Canvas homepages. According to Instructure, Canvas serves more than 30 million active users worldwide. The company’s public status page showed that while most services had been restored by late Thursday, Canvas Beta and Canvas Test remained in maintenance mode.
The ransomware and extortion group ShinyHunters has claimed responsibility for the attack. In a ransom message published by Ransomware.live, the group alleged it had accessed data belonging to more than 275 million people across nearly 9,000 schools and educational institutions. The group further threatened to leak “billions of private messages” exchanged between students and teachers if it did not receive a response from Instructure by 12 May.
A number of high-profile colleges and public schools, such as Harvard University, Princeton University, Columbia University, and Georgetown University, have reportedly received ransom letters via their respective Canvas portals, exacerbating fears among students already stressed by exams and assignments.
There has been no official confirmation from Instructure about the extent of any potential data leak or about the validity of ShinyHunters’ claims. The breach nevertheless demonstrates the increasing vulnerabilities in educational tech platforms that store vast amounts of students’ private information in the cloud.
Following a consistent formula
Nathaniel Jones, Vice President, Security & AI Strategy and Field CISO at Darktrace, says: “Unfortunately, this incident with Instructure is not uncommon as ShinyHunters follows a consistent formula: target a widely used platform, exploit the access it provides, and weaponize the data against the institutions that trusted it. The education sector is a particularly attractive target given the high volumes of sensitive student data, limited security resources, and the critical role platforms like Canvas play in the operations of thousands of schools. When one platform goes down, so do its 9,000+ customers.”
The key takeaway, seen time and again, Jones adds, is that when a single platform supports a large portion of an industry like higher education, a breach at one vendor can have widespread impact.
An unusual concentration of sensitive data
Darren Guccione, CEO and Co-Founder at Keeper Security, adds: “The breach affecting Instructure is a serious incident, and the scale being reported, which includes hundreds of millions of users across thousands of institutions globally, reflects the kind of high-value target ShinyHunters has pursued with increasing frequency. Educational platforms hold an unusual concentration of sensitive data, such as personal identifiers, institutional records and private communications, making this a particularly consequential exposure.”
This is not Instructure’s first encounter with ShinyHunters, says Guccione. In September 2025, the group breached the company’s Salesforce environment via social engineering. ShinyHunters now claims this latest attack reached the same environment, this time through a vulnerability that has since been patched. Two confirmed breaches by the same threat actor on the same platform suggests a pattern that demands scrutiny of whether remediation following the first incident went far enough.
“Every organization operating SaaS at scale must treat identity and access governance as a continuous discipline, not a post-incident checklist. Cloud environments require ongoing auditing of permissions, strict enforcement of least-privilege access, and robust controls over both human and non-human identities, including service accounts and third-party integrations that can quietly expand an attacker’s access long after initial entry. Privileged Access Management plays a critical role in enforcing those boundaries and limiting the blast radius when a breach does occur. ShinyHunters has repeatedly demonstrated that access governance failures are not theoretical risks, but an open invitation.”
Numbers not to take lightly
The ransomware attack that is currently underway on the Canvas platform is indicative of the scale of potential impacts that data breaches can have today, adds Tony Jarvis, Vice President and Field CISO at Darktrace. “Nearly 9,000 schools and universities worldwide affected, potentially 275 million individuals affected – neither are numbers to take lightly. Nor is the timing, given the impact on students submitting final assignments.”
For those students who may be affected, Jarvis advises changing your passwords, enabling multi-factor authentication, and being on the lookout for any email phishing attempts – even if you don’t think you’ll be affected.
They are disciplined and financially motivated
Hüseyin Can Yüceel, security research lead at Picus Security, says: “ShinyHunters is not an opportunistic group that accidentally stumbles into major breaches. They are a disciplined and financially motivated threat actor with a well-established operational playbook. The fact that they reportedly regained access after patches were applied strongly suggests that the original access vector or persistence mechanism was never fully eliminated. Against a threat actor this persistent, patching alone is rarely sufficient. Organizations need to conduct thorough threat hunting for residual artifacts and continuously validate their defenses to ensure the entire intrusion path has truly been eliminated.”
A massive downstream risk
On the group’s targeting of education, Yüceel says higher education has increasingly become a strategic target for ShinyHunters, and the reported compromise involving Canvas aligns directly with that trajectory. “We observed the group targeting Harvard in late 2025, and now they appear to have shifted toward the broader infrastructure layer that supports thousands of academic institutions. That is what makes this incident particularly significant. A compromise affecting Instructure potentially creates downstream risk for nearly 9,000 institutions at once. From an attacker’s perspective, that represents an exceptionally efficient and scalable target.”
More concerned with the nature, than the raw volume
Speaking of the data, Yüceel says while the figure of 275 million exposed records is alarming on its own, security professionals are often more concerned with the nature of the data than the raw volume. “Information such as names, email addresses, student identifiers, and private communications between students and faculty creates an ideal foundation for future social engineering campaigns. Groups like ShinyHunters do not operate solely through extortion. They are deeply embedded in a broader cybercriminal ecosystem where stolen data is monetized, traded, and reused by other threat actors.”
Operating across interconnected criminal networks
Talking about ShinyHunters’ tactics, Yüceel adds that what makes ShinyHunters particularly dangerous is the way they operate across interconnected criminal networks. “The group has been linked to collaborations with actors associated with Scattered Spider and The Com, particularly in large-scale voice phishing operations. They increasingly leverage AI-generated voice technology to make social engineering attempts more convincing and more difficult to detect. They have also demonstrated an ability to recruit insiders with legitimate access to VPN and identity infrastructure. Unlike smash and grab cybercrime operations, ShinyHunters employs a sophisticated intrusion model that blends social engineering, credential abuse, insider access, and long term technical persistence to maintain access and maximize impact.”
We’re potentially talking about minors
Muhammad Yahya Patel, vCISO and cybersecurity advisor for EMEA at Huntress, adds: “The education sector is uniquely vulnerable when it comes to data breaches, not because of weak technology, but because of who the data belongs to. We’re potentially talking about minors. Children whose personal information, including names, email addresses, and student IDs, could now be in the hands of criminal actors. Unlike a credit card that can be cancelled, a child’s identity and educational record follow them. The implications for identity theft, targeted social engineering, and even safeguarding are serious and long-lasting.”
Patel advises to be alert to phishing. “Attackers who have your name, email, and institution can craft highly convincing messages pretending to be from your school, Canvas, or even a specific teacher. If something requests login details or seems urgent, verify it through an official channel before acting.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.