ShinyHunters Extorts Universities in New Instructure Canvas Hack

Students across the United States were locked out of coursework, quizzes, and grades during finals week after threat actors defaced hundreds of Canvas login portals in a ShinyHunters-linked extortion campaign.

The disruption impacted colleges, universities, and school districts worldwide, underscoring the growing cybersecurity risks facing cloud-based education platforms.

“ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some ‘security patches,’” the group wrote in a Canvas login portal defacement message, according to BleepingComputer.

Key takeaways from the Canvas incident

• ShinyHunters-linked threat actors defaced Canvas login portals, affecting approximately 330 educational institutions at this time.
• The disruption impacted students and faculty during finals week, limiting access to coursework, grades, and assignments.
• The incident follows claims that attackers stole 280 million student and staff records tied to Canvas platforms.
• Reports indicate that the attackers exploited a vulnerability that allowed them to modify institutional login pages.
• The campaign highlights the growing risks associated with centralized cloud-based education platforms and SaaS extortion tactics

What we know so far about the recent Canvas incident

Canvas Outage Impacts Universities Worldwide

The incident has reportedly affected approximately 330 educational institutions, with defacement notices appearing on both the Canvas login portal and the Canvas mobile app.

Universities, including Columbia, Georgetown, Harvard, Princeton, Rutgers, and Kent State, warned students and faculty about the disruption, while Reddit users also reported affected universities in Australia.

Because Canvas serves as a centralized learning management platform for thousands of institutions worldwide, the disruption quickly spread across multiple regions and academic environments.

The timing of the attack amplified its impact. Many colleges and universities in the United States are currently in the middle of final exams, leaving students unable to access coursework, quizzes, study materials, grades, and assignment submissions.

Professors and administrators also reportedly experienced issues finalizing grades and managing end-of-semester academic operations as Canvas services became unavailable.

Instructure investigates alleged data theft in previous incident

The latest disruption comes only days after Instructure disclosed that it was investigating claims that threat actors had stolen approximately 280 million student and staff records tied to more than 8,800 schools and educational platforms that use Canvas.

According to the attackers, the allegedly stolen data includes user records, enrollment information, and private messages, which were reportedly accessed via Canvas APIs and data export features.

Instructure has confirmed that data was accessed during that broader incident but said its investigation remains ongoing.

Attack highlights risks of centralized SaaS platforms

Reports indicate that the defacement campaign exploited a vulnerability in Instructure’s systems, allowing attackers to modify institutional login pages.

Although technical details have not been disclosed, the incident highlights how extortion groups increasingly combine data theft with public disruption to pressure organizations into paying ransoms.

The campaign also underscores the growing risks associated with centralized cloud-based education technology ecosystems. Because thousands of schools depend on a single platform provider, a compromise affecting one vendor can rapidly cascade across hundreds of institutions simultaneously.

In response to the incident, Instructure later placed Canvas into maintenance mode while investigating and responding to the attack. The company said it continues working to determine the full scope of the breach and restore affected services.

Must-read security coverage

• UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case
• Blackpoint Cyber vs. Arctic Wolf: Which MDR Solution is Right for You?
• How GitHub Is Securing the Software Supply Chain
• 8 Best Enterprise Password Managers

How organizations can improve cyber resilience

As extortion groups increasingly target SaaS providers that store large volumes of sensitive student and staff data, organizations should reassess how they secure learning management systems and connected services.

• Review privileged account access and enforce role-based access controls to limit unnecessary exposure to sensitive systems and data.
• Require phishing-resistant multifactor authentication for administrators, faculty, and other high-risk accounts.
• Restrict unnecessary API access and closely monitor data export activity for signs of abuse or unauthorized downloads.
• Centralize authentication, API, and platform logs into a SIEM to detect suspicious activity and unauthorized portal changes in real time.
• Conduct regular third-party security assessments of cloud learning platform vendors and review their incident response and data protection practices.
• Maintain offline backups and establish alternate communication and learning continuity plans in case critical platforms become unavailable.
• Test incident response and disaster recovery plans through tabletop exercises that simulate SaaS outages, ransomware, and data extortion scenarios.

Implementing these measures can help educational institutions reduce exposure to evolving extortion threats while building greater operational resilience against future attacks and disruptions on SaaS platforms.

Editor’s note: This article originally appeared on our sister publication, eSecurityPlanet.