Security teams and campus officials scrambled after reports said that canvas hacked incidents had taken Instructure systems offline, disrupting access to grades, assignments and course materials.
Luke Connolly, a threat analyst at the cybersecurity firm Emisoft, said the hacking group ShinyHunters claimed responsibility and posted that nearly 9,000 schools worldwide were affected, as reported by Connolly.
Instructure did not immediately respond to requests for comment about whether the outage was precautionary or the result of attackers knocking systems offline, according to reporting from the sources.
Institutions reported immediate effects on end of semester activities. The University of Iowa's director of information technology described the issue as a national level cybersecurity incident in a notice to campus.
Virginia Tech acknowledged the disruption and warned it was monitoring the impact on final exams and end of term activities, saying additional guidance would follow via email and a status page.
The Harvard student newspaper reported Canvas was down at that institution, and public school officials in Spokane, Washington wrote they were not aware of sensitive data in the breach, according to the sources.
Scope Claims Actions And Sector Risks
Outside observers and victims described a broader pattern tied to attacks on education‑technology vendors, with Instructure one of several platforms targeted, according to the reporting.
Inside Higher Ed reported that the extortion group ShinyHunters claimed the breach affected almost 9,000 schools and compromised personal identifying information for 275 million people, as reported by Inside Higher Ed.
The group published a ransom note that read "PAY OR LEAK" and threatened to release what it described as billions of private messages if demands were not met, as reported by Ransomware.live and Inside Higher Ed.
Steve Proud, Instructure's chief information security officer, wrote in status updates that investigators believe the incident was perpetrated by a criminal threat actor and that the company had contained the attack, revoked privileged credentials, rotated certain keys, deployed patches and increased monitoring.
Proud said indications pointed to the involvement of identifying information such as names, email addresses and student ID numbers, and that thus far there was no evidence passwords, dates of birth, government identifiers or financial information were involved.
TechCrunch examined a sample of stolen data provided by ShinyHunters from two universities and found messages containing names, email addresses and some phone numbers, and did not find passwords or the other types of data Instructure said were unaffected, according to TechCrunch.
Experts warned organizations that criminal actors are increasingly targeting vendors that serve many institutions at once. Doug Thompson of Tanium said attackers are moving up the data supply chain to platforms that sit beneath thousands of campuses.
Anton Dahbura of the Johns Hopkins University Information Security Institute said educational platforms are rich targets given concentrations of personal and international student data, and he urged systemic approaches to cybersecurity, according to the reporting.
