An apparent cyberattack shut down an education platform used by universities and K-12 schools across the US Thursday, depriving students and teachers of essential classroom materials – at a time when many are taking or prepping for final exams.
Canvas, a popular, cloud-based digital hub for classrooms, has more than 30 million active users globally, with more than 8,000 institutions as customers, parent company Instructure says on its website.
Large public school systems and top universities like Columbia, Princeton, Harvard and Georgetown reported a ransom note signed by a hacking group had appeared on the homepage of their schools’ Canvas sites Thursday.
The apparent hack came after the group believed to be behind it warned Infrastructure in a ransom note to “pay or leak,” saying it had accessed data from millions of users, including students, teachers, and staff.
By late Thursday night, Instructure announced Canvas was available again “for most users,” but a number of schools had already extended deadlines and shuffled finals schedules because of the hack.
Here’s what we know.
How the Canvas hack unfolded
A University of Washington student who tried to log into Canvas around noon Thursday was greeted by a message from the hacking group ShinyHunters, which claimed to have “breached” the platform’s parent company, according to a screenshot obtained by CNN.
The note, reported by different student news outlets, demanded ransoms to prevent data leaks from the platform.
A student at the University of Pennsylvania said he was logged out of his Canvas account while studying for finals. Professors had to scramble to send class materials in other ways, the student said.
Universities across the country, including Columbia University, Rutgers, Princeton, Kent State, Harvard and Georgetown issued statements alerting students to the hack impacting institutions nationwide. School districts in California, Florida, Georgia, Oklahoma, Oregon, Nevada, North Carolina, Tennessee, Utah, Virginia and Wisconsin also reported being affected.
This is the second school data breach claimed by ShinyHunters this month. In Thursday’s ransom note, the group claimed it had hacked Instructure “again” and faulted the company’s response to the previous attack: “Instead of contacting us to resolve it they ignored us and did some ‘security patches.’”
On May 1, Instructure said it had “experienced a cybersecurity incident perpetrated by a criminal threat actor.” The company said the breach had been “contained” the next day but that usernames, email addresses, student ID numbers and communications from some institutions appeared to have been exposed.
ShinyHunters claimed in a ransom note shared on May 3 by Ransomware.live which tracks ransomware attacks and groups — that it breached 275 million individuals’ data and had access to “several billions of private messages,” giving a May 6 deadline for Instructure to reach out.
In a note Thursday, the hacking group gave schools impacted a May 12 deadline “to negotiate a settlement.”
CNN has reached out to Instructure for comment.
During the Canvas interruption, Instructure said Thursday it put the platform in “maintenance mode” as it investigated the issue. Later that night, it announced Canvas was available again “for most users.”
Who is ShinyHunters?
Little is publicly known about the hacking group that claimed responsibility for the Canvas outage, but cybersecurity researchers and federal authorities have linked the ShinyHunters name to several instances of high-profile data theft.
The group claimed responsibility for hacking Ticketmaster and attempting to sell user data on the dark web in 2024, CNN previously reported.
Earlier this year, Mandiant, a cyber-intelligence firm owned by Google, reported an increase in activity consistent with prior “ShinyHunters-branded extortion operations,” saying the attackers use sophisticated voice phishing and fake, company-branded login pages to harvest employee credentials before stealing sensitive data from cloud-based platforms for ransom.
In 2024, the US Department of Justice announced the sentencing of a member of what prosecutors described as a notorious international hacking crew tied to the ShinyHunters name. Authorities said a user operating under that moniker posted stolen data from more than 60 companies for sale on dark web forums and at times threatened to leak sensitive files if victims did not pay.
Court documents tied to the member who was sentenced show US-based victims included technology, entertainment, communications, clothing and fitness companies, as well as a video game developer.
How students and schools reacted
Melanie Topchyan, a senior at the University of California, Riverside, said she missed a quiz Thursday because of the outage and worried about staying on track. She said she has a midterm next week for a demanding course and relies on Canvas to revisit lectures and notes.
“It is a little bit of a freakout,” she told CNN.
Anish Garimidi, the University of Pennsylvania junior who was logged out of Canvas while trying to study, said he immediately felt a surge of anxiety.
“The biggest cause of fear and anxiety in me is that I was deprived of significant resources to study and do the best,” Garimidi told CNN.
For many students, the disruption landed at the worst possible moment. Georgetown sophomore Minhal Nazeer had returned home to Kentucky because all of her remaining coursework was online through Canvas.
But while some of her classmates were “freaking out,” she saw an upside in the extra time they got after professors extended deadlines.
“I was already in a good spot to finish all my papers, so I’m not too bothered by it, but I do see it is helping me a little, because I have gotten some extension. I just have more time to look over my things,” she said.
A Columbia University senior, who declined to be named, said the outage came at the “most inopportune time” – just as many students were shifting from celebratory end‑of‑year events to serious exam preparation.
That is particularly difficult, he said, for those who had only just begun compiling notes and study guides after having “pushed off the thought of having to take exams in the following week.”
James Madison University has moved its exams scheduled for Friday to Wednesday, the school said in an announcement.
The episode has underscored how deeply embedded Canvas has become in academic life at many institutions, not only as a submission portal, but as a central communications tool.
At the Massachusetts Institute of Technology, Allison Park, a junior, said professors were scrambling to locate students’ email addresses after losing access to Canvas’ announcement feature.
“The fact that this one website was the link between teaching staff and students outside of class – I didn’t realize how big of a dependency we had on it until they were scrambling to find our emails,” she said.
Liane Xu, another MIT student, said her courses rely on Canvas to collect assignments and manage grading. Although some professors host course materials on separate websites, she said critical resources, lecture videos, notes and study documents, are often stored within the platform.
As the semester draws to a close, she said, access to those materials is essential.
“It’s unfortunate and we’re sort of the victims of this,” said the Columbia senior.
This story has been updated with additional information.
CNN’s Sarah Hutter, Ray Sanchez, Maria Aguilar Prieto and Jillian Sikes contributed to this story.
For more CNN news and newsletters create an account at CNN.com
