Instructure's Canvas platform was knocked offline Thursday after the hacking group ShinyHunters defaced login pages at schools across the U.S., disrupting coursework and forcing schedule changes at universities and K-12 districts during finals week.
The company said it took Canvas offline after discovering that hackers had altered pages displayed to students and teachers logging in. Instructure identified the entry point as an issue tied to its Free-For-Teacher accounts and said it shut those accounts down before restoring Canvas access. "This gives us the confidence to restore access to Canvas, which is now fully back online and available for use," the company said in a statement.
Instructure puts the platform's reach at more than 8,000 institutions and upward of 30 million active users around the world. Schools affected included Columbia University, Princeton, Harvard, Georgetown, Rutgers, Kent State, Penn State, and the University of Wisconsin-Madison, as well as public school districts in California, Florida, Georgia, Oklahoma, Oregon, Nevada, North Carolina, Tennessee, Utah, Virginia, and Wisconsin.
Thursday's disruption was the second breach claimed by ShinyHunters against Instructure this month. On May 1, the company disclosed a cybersecurity incident in which usernames, email addresses, student ID numbers, and communications from some institutions were exposed. A ransom note the group posted on May 3 asserted that it had compromised data belonging to roughly 275 million people and was holding "several billions of private messages," with May 6 set as the deadline for Instructure to make contact. When no response came, the group carried out the login page defacement and set a new deadline of May 12 for schools to negotiate a settlement.
According to TechCrunch, ShinyHunters injected an HTML file into Canvas login pages at multiple schools to display its message. When TechCrunch pressed a group member for details on how the login pages were compromised, the individual declined to elaborate beyond confirming that the incident was unrelated to the earlier hack.
Emsisoft threat analyst Luke Connolly told CBS News that ShinyHunters is made up of teenagers and young adults from the U.S. and the U.K. The group has claimed responsibility for breaching Live Nation's Ticketmaster and has been linked to data theft from many companies. In 2024, federal prosecutors convicted someone who used the ShinyHunters name on the dark web. That person sold stolen files from over 60 companies and threatened more leaks unless victims paid.
The outage happened when many students relied on Canvas for lecture videos, study materials, assignments, and course messages. At James Madison University, all Friday exams were moved to Wednesday. Penn State's Pollock Testing Center canceled every exam scheduled for those two days. Georgetown instructors gave paper extensions to affected students, and at MIT, faculty had to search their own records for student contact information after Canvas's messaging tools stopped working.
