A ransomware group calling itself ShinyHunters brought down Canvas, one of the most widely used online learning platforms in the United States, on Thursday, forcing universities to postpone or reschedule final exams just as students were preparing to take them.
Canvas parent company Instructure said it took the platform offline after identifying unauthorized activity in its network. By Friday morning, the platform was back online. The attack was carried out by the same threat actor responsible for a data breach Instructure had disclosed just one week earlier.
According to Instructure, the data accessed included user names, email addresses, student ID numbers, and messages exchanged on the platform. The company said it has no indication that passwords, dates of birth, government identifiers, or financial information were involved.
While students tried to log in Thursday to take or submit final exams, Canvas login pages instead displayed a ransom demand. The message stated that Instructure had rebuffed the group's earlier demands and encouraged individual schools to negotiate directly with ShinyHunters. On its dark web site, the group claimed the stolen data came from 275 million people associated with 8,800 schools.
The University of Illinois reportedly postponed all final exams and assignments scheduled for Friday, Saturday, and Sunday. The University of Massachusetts Dartmouth rescheduled or extended due dates. The University of California system directed all its campuses to find alternatives as the outage spread.
ShinyHunters has operated for years as a loose collective with a long record of high-profile breaches. In 2024, the group stole a large volume of credentials from cloud storage provider Snowflake and used that data in follow-on attacks against Snowflake customers, including TicketMaster.
Canvas is not the first major education platform to be targeted. Last year, PowerSchool, which provides cloud-based software to 60 million students across 16,000 K-12 schools worldwide, disclosed a breach that exposed years' worth of sensitive data, including names, addresses, and disciplinary records.
As of Friday, Instructure had not publicly stated whether it paid any ransom or entered negotiations with ShinyHunters. The company said the investigation into the breach is ongoing.