Canvas LMS Restored After May 7 Ransomware Attack Disrupts 9,000 Schools

Canvas, owned by Instructure, is a cloud‑based learning management system used by K‑12 districts and universities worldwide. On the morning of May 7, users reported inability to log in, access grades or submit coursework during spring finals. Instructure placed the platform in maintenance mode and began investigating the disruption.

- The outage lasted several hours before Instructure announced full restoration on May 8. - Hacking group ShinyHunters claimed responsibility, stating they accessed data from nearly 9,000 institutions affecting about 275 million individuals. - According to Instructure, the compromised data included names, email addresses, student ID numbers and user‑to‑user messages; passwords, birth dates, government IDs and financial information were not exposed. - ShinyHunters reportedly gave affected schools a May 12 deadline to negotiate a ransom, threatening to leak the data if unpaid. - The attack aligns with common ransomware tactics: initial access via phishing or compromised credentials (MITRE ATT&CK T1566, T1078), followed by data exfiltration (T1041) and impact through service disruption (T1489).

For institutions, the incident highlights the reliance on third‑party SaaS platforms for critical academic functions. Even when core credentials remain safe, exposure of personal identifiers can enable follow‑on phishing or identity‑theft campaigns. The claimed ransom deadline creates pressure on schools to decide whether to engage with threat actors, a decision that carries legal and reputational risks.