Massive cyberattack on Canvas/Instructure hits 8,800+ education institutions

Salt Lake City, May 11. Education technology firm Instructure has suffered a historic cyberattack on its learning management system Canvas. Hacker group ShinyHunters claims to have stolen 3.65 terabytes of data — roughly 275 million records.

8,800 institutions affected

The breach affects 8,809 universities, education ministries, and institutions. Affected schools include Harvard, Stanford, MIT, Oxford, and many of India's IITs and IIMs. The stolen data covers private student-teacher messages, assignment submissions, grades, and authentication details.

The ransomware message

On May 7, the Canvas login page was replaced with a ransomware message demanding payment by the end of May 12. Millions of students and teachers worldwide were suddenly locked out of their accounts, disrupting final exams and submissions.

An undisclosed settlement on May 11

On May 11, Instructure announced it had reached an undisclosed settlement with the hackers and that the stolen data had been destroyed. Cybersecurity experts are sceptical, however, about whether the data is truly gone.

Who are ShinyHunters

ShinyHunters is a notorious hacking group with a record of targeting Snapchat, Home Depot, Telefónica, and other major companies. The same group also claimed this week to have stolen 500,000+ Salesforce records from real-estate firm Cushman & Wakefield.

A warning for Indian institutions

Many Indian institutions use Canvas. The Ministry of Education and CERT-In have directed affiliated universities to reset passwords and enable two-factor authentication. The incident underscores the need for robust data-security protocols as India rolls out its national AI education framework.