A cyberattack forced the Canvas educational platform offline on Thursday, affecting millions of students and teachers at more than 9,000 universities and K-12 schools across the United States during a critical time in the academic calendar.
CBS reports that Canvas, a cloud-based digital classroom platform with more than 30 million active users globally and over 9,000 school customers, experienced a major security breach on Thursday that left students and educators without access to essential classroom materials. The timing proved particularly troublesome as many schools are in the midst of final examinations or preparation periods.
Major educational institutions including Columbia University, Princeton, Harvard, Georgetown, the University of Washington, the University of Pennsylvania, Rutgers, Kent State, and K-12 school districts around the country also reported that a ransom note had appeared on their Canvas homepage. The message was signed by a hacking group calling itself ShinyHunters, which claimed to have breached Instructure, the parent company of Canvas.
The ransom note demanded payment to prevent data leaks from the platform. In the message, ShinyHunters claimed this was their second breach of Instructure within the month and criticized the company’s response to the previous attack, stating that Instructure had ignored them and implemented only security patches instead of engaging with the hackers.
Instructure had previously acknowledged a cybersecurity incident on May 1, which it said was perpetrated by a criminal threat actor. The company announced the breach had been contained by the following day, though user names, email addresses, student ID numbers, and communications from some institutions appeared to have been exposed during that incident.
During Thursday’s attack, Instructure placed Canvas in maintenance mode while investigating the issue. By late Thursday night, the company announced that Canvas was available again for most users. However, the disruption had already forced numerous institutions to extend deadlines and adjust final examination schedules.
Little public information exists about ShinyHunters, though cybersecurity researchers and federal authorities have connected the name to several high-profile data theft incidents. The group claimed responsibility for hacking Ticketmaster and attempting to sell user data on the dark web in 2024.
Mandiant, a cyber-intelligence firm owned by Google, reported earlier this year an increase in activity consistent with previous ShinyHunters-branded extortion operations. The firm noted that the attackers employ sophisticated voice phishing techniques and create fake company-branded login pages to harvest employee credentials before stealing sensitive data from cloud-based platforms for ransom.
Breitbart News reported in 2025 that ShinyHunters took credit for hacking Google through a Salesforce CRM data theft:
According to Google, one of its corporate Salesforce instances was compromised in June, allowing the attackers to exfiltrate customer data during a brief window before access was cut off. The stolen data was reportedly limited to basic and largely public business information, such as company names and contact details.
Google has classified the threat actors behind these attacks as ‘UNC6040’ or ‘UNC6240.’ However, BleepingComputer, which has been closely monitoring the situation, has confirmed that ShinyHunters is responsible for the breaches. The notorious group has a long history of high-profile attacks, including those targeting PowerSchool, Oracle Cloud, Snowflake, AT&T, NitroPDF, Wattpad, MathWay, and many others.
In a conversation with BleepingComputer, ShinyHunters claimed to have breached numerous Salesforce instances, with attacks still ongoing. The threat actor even hinted at having compromised a trillion-dollar company, though it remains unclear if this refers to Google.
Read more at CBS here.
Lucas Nolan is a reporter for Breitbart News covering issues of AI, free speech, and online censorship.