In a nutshell: An outage on Canvas last week did more than interrupt logins. It exposed how much modern education depends on a single platform – and how vulnerable that platform can be when something goes wrong. Instructure, the company behind the widely used learning platform, said it had been dealing with a cybersecurity incident since at least May 1. By Thursday, the situation had spilled into public view as Canvas was pushed into maintenance mode, briefly cutting off access for students and educators across the US. The timing made the disruption especially noticeable, landing in the middle of finals and end-of-term deadlines at many schools.
The company's chief information security officer, Steve Proud, wrote in an incident log that Instructure had "recently experienced a cybersecurity incident perpetrated by a criminal threat actor." A day later, he added that the exposed data included names, email addresses, student ID numbers, and messages exchanged on the platform. How many users were affected remains unclear.
What is clear is how far the disruption spread. Universities including Harvard University, Columbia University, Rutgers University, and Georgetown University alerted students, while school districts in multiple states also reported issues. Because Canvas is so widely adopted, even a temporary outage created immediate problems. What began as a security incident quickly became an operational one.
The attackers, operating under the name ShinyHunters, did not keep a low profile. As the situation unfolded, they escalated the attack, with some school login pages defaced after the attackers injected their own HTML, replacing standard login screens with messages tied to the breach.
The Harvard Crimson reported that one such message listed the allegedly affected schools and urged institutions to contact the sender before May 12 to avoid having their data released. The paper added that it was unclear what information related to Harvard affiliates was included in the alleged breach.
This combination of intrusion and public pressure is becoming increasingly common. Rather than quietly stealing data, threat groups often try to force a response by creating visible disruption or reputational risk.
The identity behind ShinyHunters is less straightforward. The name has previously been linked to major data breaches, but researchers say it does not necessarily refer to a single, stable group. Allison Nixon, chief research officer at Unit 221b, told Wired that the activity in this case appears tied to a cluster sometimes referred to as ScatteredLapsus$Hunters, part of a broader and shifting network of actors linked to what is known as "the Com."
The group's messaging has also followed a familiar playbook. At one point, a dark-web site associated with the attackers listed Instructure and its customers as victims and included a complaint: "Instructure has not even bothered speaking to us to understand the situation or to even negociate [sic] with us to prevent the release of this data. The Company seemingly does not care about all the students affected and the institutions impacted by this data breach." Later, those references disappeared, and the site itself became unresponsive.
That kind of change is common in these cases. "This is often one of their manipulation tactics to try to encourage the victim to pay," Nixon said. "So while they're negotiating or after they've paid, they might take that victim off the site, or depending on how negotiations go, they might put the victim back on."
In some cases, the pressure escalates further. Nixon said groups tied to this ecosystem have used tactics that go beyond technical attacks, including denial-of-service campaigns, mass phone calls, and direct threats. "These kind of pressure tactics start to look a whole lot more just violent mafia rather than any kind of skilled hacker stuff," she said.
There is also reason to be cautious about the attackers' claims. The same infrastructure has previously listed other high-profile organizations as victims, sometimes using recycled or previously stolen data to make breaches appear larger than they actually are.
Still, the Canvas incident stands out for its immediate real-world impact. It shows how a compromise at the platform level can ripple outward, affecting thousands of institutions at once. In higher education, where ransomware and data extortion are already persistent problems, that level of centralization raises the stakes.
For Nixon, the bigger concern is how long groups like this have been able to evolve. "It's noteworthy that a tiny number of repeat offenders can escalate for years to reach this point," she said. "It speaks to the systemic international issue of cybercrime and the need for governments around the world to set geopolitics aside and cooperate to stop those who extort money and prey on kids."