Canvas LMS hacked during finals week, exposing 275 million users at 9,000+ schools

At a glance:

• Canvas, the learning management system used by thousands of universities worldwide, was breached on Thursday, May 7 by the black-hat hacker group ShinyHunters while students were deep in finals week.
• ShinyHunters claims the attack affected 275 million Canvas users at over 9,000 schools—including every Ivy League university—and threatened to leak names, emails, student course schedules, and ID numbers unless a ransom is paid by May 12.
• The platform was restored within hours after the ransom note was replaced with a "scheduled maintenance" message, but it remains unclear whether Instructure or any affected universities paid the settlement ShinyHunters demanded.

What happened on May 7

On Thursday, May 7—squarely in the middle of finals week at American universities—students attempting to log into Canvas were met not with their familiar course dashboards but with a ransom note from ShinyHunters. The message opened by declaring that the group had breached Instructure, Canvas's parent company, "again," referencing an earlier breach that Instructure had already acknowledged and patched earlier that same month. The hackers accused Instructure of ignoring their initial contact and responding only with what they dismissed as cosmetic "security patches." By approximately 4:20 PM, the ShinyHunters message was replaced with a notice from Canvas itself stating the platform was undergoing "scheduled maintenance." Reports from outlets including The Daily Pennsylvanian, The Harvard Crimson, and The Collegiate Times indicate the platform was largely accessible again by late that evening or by the morning of May 8.

The scope of the breach and the ransom demand

ShinyHunters accompanied its attack with a list of affected institutions and a specific ultimatum. The group claimed that 275 million users across more than 9,000 schools would be impacted, naming The University of Pennsylvania, Virginia Tech, Duke University, and Harvard among the targets—a roster that reportedly encompasses every Ivy League university. The data ShinyHunters said it accessed includes student names, email addresses, course schedules, and institutional ID numbers. Schools were urged to "consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement" before the end of day on May 12. If the deadline passed without payment, the group threatened to begin publicly leaking the harvested sensitive data.

University responses and student frustration

Statements from affected universities have been tightly controlled and largely formulaic. Institutions acknowledged the disruption, assured students that IT teams were working on the matter, and directed the campus community to stand by for further updates. Students, meanwhile, turned to social media to express a mix of anxiety, dark humor, and frustration—venting about the timing of the attack during the most academically pressured stretch of the semester. Some universities moved quickly to mitigate downstream scheduling damage: at least several institutions rescheduled Friday, May 8 final examinations to Sunday, May 10, giving students a brief reprieve while the platform situation stabilized.

A pattern of attacks on education technology

The Canvas breach is not an isolated incident but the latest in a growing wave of attacks targeting education technology infrastructure. Earlier in January, K-12 software company PowerSchool publicly disclosed that it had paid a ransom after hackers breached its platform and accessed students' personal data—a decision that has drawn both understanding and criticism from the security community. Instructure itself had already disclosed a prior breach earlier in May, making the ShinyHunters message—"breached Instructure (again)"—a pointed reference to what the hackers view as institutional complacency. The recurrence raises uncomfortable questions about whether education platforms are investing enough in proactive defenses or simply reacting to threats after the damage is done.

What comes next

Whether Instructure or any of the affected universities quietly paid the ShinyHunters ransom remains unknown. The group has since removed Canvas from its public extortion page, which could signal a resolution—or simply a shift in tactics. For students, the episode has surfaced a bitter irony: institutions that depend on tuition revenue and multi-billion-dollar endowment funds are now being held hostage by actors who exploit the very digital infrastructure those institutions rely on. Cybersecurity analysts recommend that universities conduct independent audits of their third-party vendor relationships, enforce multi-factor authentication across all LMS access points, and prepare incident-response playbooks that account for the possibility of ransom demands. For now, the immediate crisis appears contained, but the broader implications for education-sector cybersecurity are only beginning to unfold.

The leverage question

Beyond the technical fallout, the Canvas hack has introduced an uncomfortable power dynamic between students and their institutions. With sensitive academic and personal data now confirmed to be in the hands of a criminal group, students at affected schools hold a rare form of leverage. Demands for tuition adjustments, formal accountability from IT leadership, and grade-curve accommodations are already circulating on campus forums and social media. Universities face a delicate balancing act: acknowledging the severity of the breach without exposing themselves to further legal or regulatory scrutiny. How they navigate the coming weeks will set a precedent for how higher education handles the next inevitable incident.