A massive ransomware attack disrupted academic operations at approximately 9,000 universities and schools worldwide this week. The reason came out to be the infamous hacking group ShinyHunters, that breached the Canvas learning management system during finals week in many parts of the world.
The Canvas hack forced institutions across the United States, Canada, Australia, United Kingdom, Netherlands, Sweden, and New Zealand to postpone final exams. Even they had to cancel assignments as the hacker group threatens to leak data from 275 million students, teachers, and staff. Of course, it all stops unless ransom demands are met by May 12.
Instructure, the company that owns Canvas, confirmed the Canvas platform went offline Thursday following the ShinyHunters cyberattack. The company posted an update late Thursday stating Canvas was available for most users. Several universities continued reporting Canvas outages Friday morning. The Canvas learning management system serves over 30 million active users globally and hosts course content, assignments, grades, and private messaging for academic institutions across six continents.
ShinyHunters displayed ransom notes on student screens Thursday afternoon demanding payment in bitcoin after the Canvas security breach. The Canvas ransomware note read ShinyHunters had breached Instructure again and threatened to release stolen student data unless Canvas or affected universities paid.
Universities across multiple continents postponed Friday’s final exams to allow affected students to recover lost work from the Canvas platform. The University of Sydney instructed students Friday not to attempt logging into Canvas while waiting for guidance from Instructure. Idaho State University cancelled exams scheduled after 12:00 local time Thursday due to the Canvas outage. Penn State University informed students no one had access to Canvas and warned resolution was unlikely within 24 hours. In Australia, the federal government’s National Office of Cyber Security coordinated response efforts as universities, vocational providers, and state schools struggled with disrupted access. The Netherlands reported 44 educational institutions affected, though Universities of the Netherlands confirmed no university had been approached directly for ransom payments.
ShinyHunters first breached Instructure on May 1 and sent a ransom letter on May 3. The letter claimed they had access to 275 million individual records and billions of private messages between students and teachers stored on Canvas. The group later set a May 6 deadline that Instructure ignored while implementing Canvas security patches. ShinyHunters launched the second Canvas attack Thursday, displaying messages that accused Instructure of ignoring outreach attempts and installing inadequate security fixes.
Described as a “loose group of teenagers and young adults based in the United States and United Kingdom formed in 2020,” the ShinyHunters group has so far exposed names, email addresses, student ID numbers, and messages among Canvas users in their initial attacks.
Pakistani universities appear unaffected by the ShinyHunters Canvas attack as most institutions rely on alternative learning management systems including Google Classroom, Moodle, and locally developed platforms. The Higher Education Commission of Pakistan has not issued any alerts regarding Canvas-related security incidents.
Major Pakistani universities including Lahore University of Management Sciences, National University of Sciences and Technology, and Quaid-i-Azam University primarily use indigenous or open-source platforms rather than Canvas.
However, cybersecurity experts warned that educational institutions globally remain vulnerable to similar ransomware attacks regardless of platform choice, emphasizing the need for robust security protocols, regular data backups, and employee training to prevent phishing attempts that often serve as entry points for hackers targeting academic networks.
Canvas was taken offline for a couple of hours before returning back to functionality despite data breach.
The ShinyHunters group has been linked to high-profile cyber attacks including major breaches of Ticketmaster owner Live Nation in 2024 involving 560 million customer records and Jaguar Land Rover last year.
