ShinyHunters Leaks 3.5 TB of Canvas Data, Ransom Deadline Looms as Schools Scramble

Context Canvas, the web‑based learning platform from Instructure, supports roughly 30 million users across 9,000 institutions worldwide. In early May, the platform suffered a coordinated outage that coincided with the U.S. exam period, amplifying operational disruption.

Key Facts - On May 5, the cybercrime group ShinyHunters announced it had stolen 3.5 TB of data, including names, email addresses, student IDs and private messages. The group threatened public release unless a ransom was paid by May 12. - The FBI confirmed a service disruption affecting educational institutions but did not name Canvas. - Universities in Australia, Canada and the United States reported partial restoration. The University of Sydney said the system was back online but still inaccessible pending checks; the University of Alberta noted reduced functionality. - Major U.S. schools such as Penn State, Harvard, Columbia and Georgetown announced exam extensions or schedule changes as Canvas remained offline. - No public confirmation has emerged on whether the ransom was paid. Instructure’s website later claimed Canvas was “available for most users” and reported no new incidents. - The attack impacted institutions in the United States, the Netherlands, Sweden, Australia and the United Kingdom.

What It Means The breach highlights the vulnerability of cloud‑based education services to credential theft and supply‑chain attacks. ShinyHunters’ demand for a deadline‑driven ransom underscores a shift toward time‑sensitive extortion, leveraging academic calendars to increase pressure. For schools, the incident forces rapid contingency planning, including alternative assessment methods and manual grade reporting.

Mitigations – What Defenders Should Do 1. Patch and Update – Apply the latest security patches for Instructure Canvas and underlying web servers. Monitor Instructure advisories for CVE identifiers related to authentication bypass or API exposure. 2. Enforce MFA – Require multi‑factor authentication for all administrative and faculty accounts to block credential‑stuffing attacks (MITRE ATT&CK T1110.003). 3. Network Segmentation – Isolate learning management system traffic from other campus networks to limit lateral movement if a breach occurs. 4. Log Monitoring – Deploy SIEM rules to detect abnormal data exfiltration patterns, such as large outbound transfers exceeding 1 GB per hour. 5. Backup Verification – Maintain immutable, offline backups of student records and test the restoration process quarterly. 6. Incident Response Playbook – Update response plans to include ransomware negotiation guidelines and communication protocols for exam disruptions.

Looking Ahead Watch for any data dumps from ShinyHunters after the May 12 deadline and for further statements from Instructure on long‑term security hardening.