Canvas, an e-learning platform went offline after a data breach last week, raising probing questions on the safety of shared infrastructures.
The breach temporarily left students and faculty at thousands of U.S. colleges, and K-12 schools, without access to course materials and communications during finals period.
“I’m sure somewhere in the country when the outage happened, there probably were people actually taking final exams on the platform when it crashed,” says Damon Linker, a senior lecturer in political science at the University of Pennsylvania.
Thirty million users, including at half of the higher education institutions in North America, rely on Canvas to manage courses, submit assignments, view grades and facilitate communication, according to its parent company, Instructure.
But when Linker and many other users tried to do so on Thursday afternoon, they met a black screen and a warning message.
“ShinyHunters has breached Instructure (again),” it read. “Instead of contacting us to resolve it they ignored us and did some ‘security patches.'”
ShinyHunters is the same entity that took credit for a massive Ticketmaster data breach in 2024. Like many such groups, it’s a cluster of young people working remotely together, “kind of like a ransomware gang,” says Rachel Tobac, the CEO of SocialProof Security, which trains people and companies to defend themselves against hackers.
ShinyHunters wrote on a threat intelligence website earlier last week that the initial breach involved data, including private messages, from 275 million students, teachers and staff at nearly 9,000 schools worldwide.
The group said Thursday that affected schools can prevent the release of their data by consulting with cyber advisory firms and negotiating settlements through the encrypted chat platform Tox.
“You have till the end of the day by 12 May 2026 before everything is leaked,” the hackers wrote.
ProCircular, a top Midwest cybersecurity consulting company, has been closely monitoring the breach and has created a Github link for Canvas breach customer lookup.
“The Canvas breach is a reminder that shared infrastructure risk is institutional risk. When a platform serving 41% of North American higher education is compromised, every tenant becomes a potential extortion target, regardless of their own security posture. We saw this play out after the PowerSchool incident in 2024, and we expect the same pattern here.
This moment calls for institutions to stop treating third-party SaaS platforms as someone else’s problem. Credential rotation at the vendor level does not eliminate persistence mechanisms inside your own tenant, and a ransom payment has never guaranteed data deletion. The path forward is proactive auditing, pre-established incident response protocols, and a firm organizational stance against negotiation before a threat ever arrives.” – Brandon Blankenship, ProCircular, wrote in a message to Techeconomy.
