Students revising for finals got an ugly surprise this week when they tried to log into Canvas. Instead of lecture notes, quizzes, or grade postings, many saw a ransom note from a hacking group called ShinyHunters.
The disruption hit on Thursday, May 7, right in the middle of spring finals season. Across the United States, universities, including Harvard, Georgetown, Columbia, Rutgers, Princeton, and the University of Pennsylvania, watched their Canvas pages go dark or display the hackers’ message.
School districts in states from California to Oklahoma and Virginia reported the same problem. Canvas, run by Instructure, serves more than 30 million users at over 8,000 institutions worldwide.
ShinyHunters said they had breached Instructure again and accused the company of ignoring them and only applying minor security patches.
They gave Instructure until the end of the day on May 12 to negotiate or face the release of massive amounts of stolen data.
Also Read: Iran Hackers Leak Private Photos After Hacking FBI Director Kash Patel
This came after an earlier incident on May 1, during which Instructure confirmed it had been the target of a cybersecurity attack.
The company said it contained the breach quickly, but usernames, email addresses, and student ID numbers were exposed.
ShinyHunters later claimed they grabbed far more, 275 million records and 3.65 terabytes of data, including private messages between students and teachers.
Many students felt the timing couldn’t have been worse, as some, such as Anish Garimidi, a junior at the University of Pennsylvania, were studying when he got locked out.
“The biggest cause of fear and anxiety in me is that I was deprived of significant resources to study and do the best,” he told CNN reporters.
Some worried about missing quizzes or midterms. Senior Melanie Topchyan at the University of California, Riverside, said she missed a quiz and now has a tough midterm with limited access to lecture recordings.
Also Read: Trump Tariffs Deemed Illegal by Court of International Trade
Not everyone was upset, as some students said they were not bothered by the chaos because of earlier preparations.
A Georgetown sophomore who had already returned home said the hack brought deadline extensions.
“I was already in a good spot to finish all my papers, so I’m not too bothered by it,” she said. Professors at many schools scrambled to send materials through email or other platforms.
Canvas is in maintenance mode
Instructure put Canvas into maintenance mode on Thursday afternoon and said it was investigating. The company has not publicly detailed the full scope of the latest incident.
Universities sent alerts urging students to stay calm while they worked with Instructure and, in some cases, law enforcement.
ShinyHunters is no stranger to big targets. The group has claimed responsibility for breaches at Ticketmaster, Google, and several universities in the past.
This time, they posted a list of nearly 9,000 affected schools and invited individual institutions to negotiate privately if they wanted to protect their data.
Risk of relying on third-party education platforms like Canvas
The breach raises fresh questions about reliance on third-party education platforms. Canvas handles everything from assignment submissions to private discussions.
A leak of billions of messages could expose sensitive personal details at a scale that worries privacy experts and parents alike.
Access remained patchy at many schools as of Thursday night. Some universities have already rescheduled exams. Others are telling students to look at their email and other sites for instructions.
The May 12 deadline is now just days away. Whether Instructure or individual schools will pay anything remains unknown.
In the meantime, thousands of students are trying to finish the semester, but a routine week of finals has turned into a lesson in digital vulnerability.
