Cyberattack Shuts Down Canvas Learning Platform at Thousands of U.S. Schools

Students unable to access grades, course materials, and take exams during finals period; potential exposure of private messages and sensitive data for millions of students and educators.
Schools have become entirely dependent on technology, and that dependence has made them irresistible targets
A cyberattack on Canvas, used by nearly 9,000 schools globally, exposed how vulnerable educational institutions have become.

In the middle of finals season, a cyberattack by the hacking group ShinyHunters brought down Canvas — the digital infrastructure underlying daily life at thousands of schools worldwide — exposing how deeply American education has entrusted its most sensitive records to systems it cannot fully protect. The group, a loose network of young criminals with a history of high-profile breaches, is demanding payment in exchange for not releasing billions of private messages stolen from nearly 9,000 institutions. The attack is less a story about technology than about dependency: the moment a society digitizes its most vulnerable populations, it also creates the conditions for their exploitation.

  • At the height of finals week, students at Penn State, Columbia, UCLA, and dozens of other institutions found themselves locked out of grades, notes, and assignments with no clear timeline for restoration.
  • ShinyHunters claimed access to billions of private messages and records across nearly 9,000 schools globally, setting an extortion deadline of May 12 and signaling that negotiations — and ransom discussions — may already be underway.
  • The extended deadline suggests the hackers are not simply threatening but actively bargaining, turning stolen student and faculty communications into leverage against institutions with little choice but to engage.
  • Instructure, Canvas's parent company, restored partial access by Thursday evening but offered little public transparency, leaving schools to manage cascading disruptions — canceled exams, blocked submissions, silenced classrooms — largely on their own.
  • The attack follows a pattern targeting education's digital infrastructure, echoing the PowerSchool breach and years of assaults on districts from Los Angeles to Minneapolis, raising urgent questions about whether edtech companies are equipped to safeguard the data they've been entrusted with.

On a Thursday morning during finals season, thousands of schools across the United States discovered that Canvas — the learning management system woven into the daily fabric of American education — had gone dark. Students couldn't retrieve notes or submit work. Teachers couldn't post grades. The outage made visible a vulnerability that had been quietly accumulating for years: schools have become so dependent on digital infrastructure that a single breach can bring the rhythm of learning to a halt.

The group responsible, ShinyHunters, claimed to have compromised nearly 9,000 schools worldwide, gaining access to billions of private messages and records held by Instructure, Canvas's parent company. The attack hit major universities — Penn State, Columbia, UCLA, Northwestern, the University of Chicago, Harvard — as well as public school districts from Spokane to Chicago. Penn State canceled all tests at its Pollock Testing Center for Thursday and Friday, telling students plainly that no resolution was expected within 24 hours.

What distinguishes the attack from a simple disruption is its extortionate design. ShinyHunters set deadlines — first Thursday, then May 12 — threatening to release the stolen data unless demands were met. The extension of those deadlines suggests negotiations are ongoing. The hackers are betting that institutions will pay rather than risk the exposure of sensitive communications between students, teachers, and administrators.

This is not an isolated incident. Minneapolis Public Schools and the Los Angeles Unified School District have both suffered major breaches in recent years. Schools are attractive targets because they hold dense concentrations of digitized personal data — records, health information, private messages — once locked in filing cabinets, now stored in cloud systems accessible from anywhere in the world. ShinyHunters itself, according to cybersecurity analyst Luke Connolly of Emisoft, is not a sophisticated state actor but a loose affiliation of teenagers and young adults in the US and UK, the same group linked to the Ticketmaster breach.

Instructure restored partial access by Thursday evening but offered little public explanation, leaving schools to absorb the fallout alone. For students already navigating the pressures of finals, the outage was one more disruption in a season that could not afford one. For the broader education system, it was a warning that efficiency and vulnerability have become inseparable.

On Thursday morning, thousands of schools across the United States woke to find Canvas—the learning management system that has become the digital backbone of American education—completely inaccessible. Students preparing for final exams couldn't retrieve notes or submit work. Teachers couldn't post grades. The outage laid bare a hard truth: American schools have become entirely dependent on technology, and that dependence has made them irresistible targets for criminals.

A hacking group calling itself ShinyHunters claimed responsibility for the breach, according to Luke Connolly, a threat analyst at the cybersecurity firm Emisoft. The group targeted Instructure, the company that owns and operates Canvas, and the damage was staggering in scope. ShinyHunters posted online that nearly 9,000 schools worldwide had been compromised, with access to billions of private messages and other records. By late Thursday evening, Instructure announced that Canvas was "now available for most users," but the recovery came too late for many institutions already scrambling to manage the fallout.

The list of affected universities reads like a map of American higher education: Penn State, the University of Wisconsin-Madison, Columbia University, UCLA, Northwestern University, the University of Chicago, and the University of Illinois Chicago all reported being targeted. Harvard's student newspaper confirmed the system was down there as well. Union College in New Jersey and several other California schools also went dark. Public school districts from Spokane, Washington to Chicago felt the impact. At Penn State, administrators sent a stark message to students: no one had access to Canvas, and they should not expect a resolution within the next 24 hours. The school canceled all tests scheduled for Thursday and Friday at its Pollock Testing Center.

Canvas manages the infrastructure of modern education—grades, course notes, assignments, lecture videos, the accumulated digital record of what students have learned and how they've performed. Its absence during finals week created immediate chaos. Students couldn't study. Teachers couldn't communicate. The system that had become so embedded in the daily rhythm of schools that its absence felt like a power outage was suddenly, completely gone.

What makes the attack particularly menacing is that it appears to be extortion. Screenshots obtained by Connolly showed that ShinyHunters began threatening to leak the stolen data on Sunday, setting initial deadlines for Thursday and May 12. The fact that the group extended the deadline suggests ongoing negotiations—discussions about payment, in other words. The hackers are holding billions of private messages hostage, betting that schools and universities will pay rather than risk exposure of sensitive communications between students, teachers, and administrators.

This is not the first time American schools have faced such an assault. Minneapolis Public Schools and the Los Angeles Unified School District have both been hit by major attacks in recent years. Schools are attractive targets precisely because they are rich in digitized data—student records, health information, social security numbers, private communications—all now stored in cloud systems rather than locked filing cabinets. The shift to digital has made schools more efficient, but it has also made them vulnerable to criminals operating from across the globe.

Connolly noted that the Canvas attack bears striking similarities to a breach at PowerSchool, another company that provides learning management tools to schools. In that case, a Massachusetts college student was eventually charged. ShinyHunters itself, Connolly explained, is a loose affiliation of teenagers and young adults based in the United States and the United Kingdom. The group has been linked to other high-profile attacks, including one targeting Live Nation's Ticketmaster subsidiary. They are not sophisticated state actors; they are young criminals with access to powerful tools and a willingness to hold schools' data for ransom.

Instructure has remained largely silent, posting only to a status log and declining to comment on social media about the breach. As of Thursday night, the company was still working to restore full access. But for the schools affected, the damage extends beyond the hours of downtime. The breach has exposed the fragility of the systems schools depend on and raised urgent questions about whether the companies managing educational data are adequately protecting it. For students in the middle of finals week, it was simply another obstacle in an already stressful time.

ShinyHunters is a loose affiliation of teenagers and young adults based in the U.S. and the United Kingdom, also linked to attacks on Live Nation's Ticketmaster subsidiary
— Luke Connolly, threat analyst at Emisoft
The Hearth Conversation Another angle on the story
Inventor

Why does a hacking group target schools specifically? What's the payoff?

Model

Schools hold something criminals value: billions of private messages, student records, health data, social security numbers. But more than that, schools are under pressure to keep operating. A hospital can't function without patient data. A school can't function without grades and assignments. That pressure makes them willing to negotiate.

Inventor

So this is extortion, not theft for its own sake.

Model

Exactly. ShinyHunters isn't trying to sell student data on the dark web. They're threatening to release it unless schools pay. The extended deadline—pushing from Thursday to May 12—suggests they're already in conversations with Instructure or the schools about what that payment might be.

Inventor

How many students are we talking about here?

Model

Nearly 9,000 schools worldwide. That's millions of students and educators. In the United States alone, you're looking at major universities like Penn State, Columbia, UCLA, Northwestern. But also public school districts, smaller colleges, community schools. The reach is enormous.

Inventor

What happens to the data if the schools don't pay?

Model

ShinyHunters says they'll leak it. Billions of private messages. That means conversations between students and counselors, between teachers and students, between administrators and families. Things people thought were private.

Inventor

Is this new, or have schools been hit before?

Model

Schools have been targeted before—Minneapolis, Los Angeles. But what's changed is the scale and the sophistication of the extortion. Schools digitized everything thinking it would make them safer and more efficient. Instead, it made them targets.

Inventor

What does Instructure do now?

Model

They're trying to restore access and probably negotiating with the hackers. But the real question is whether they had adequate security in the first place. That's what schools are asking themselves right now.

Contact Us FAQ