1
1
An online education platform used by thousands of schools and universities was disabled for hours Thursday after a breach that compromised over three terabytes of student data.
Threat analyst Luke Connelly confirmed the hack was “very significant,” with the criminal group claiming to have stolen more than three terabytes of information, including “hundreds of millions of student records and conversations between students and their teachers.”
The group believed to be behind the attack is Shiny Hunters, known for previous breaches of major companies including Ticketmaster. Connelly noted that a statement from Instructure—Canvas’s parent company—indicated initial access was gained using a “free for teachers account,” suggesting social engineering tactics. This involves criminals impersonating employees over the phone to convince companies to reset login credentials.
While the group has not publicly stated ransom demands, Connelly estimated they would seek “a fairly significant amount of money,” noting a similar breach of a school software company in early 2025 resulted in a ransom payment “north of $2 million.”
Shiny Hunters’ dark website initially posted about the Canvas breach, then extended a ransom deadline to May 12 before removing both the post and stolen data from their publication site as of Thursday morning. “Something has happened in the last 24 hours,” Connelly said.
He drew parallels to a December 2024 breach of software provider PowerSchool, which became public in January 2025. In that case, the company paid a ransom, but months later the data—supposedly deleted—was still being used for extortion demands against individual schools.
Regarding whether passwords or financial identifiers were compromised, Connelly urged caution: “It seems fairly early for Canvas or Instructure to be saying definitively that specific sensitive information was not part of the data that was stolen.” He added, “I would err on the side of caution and assume that they have sensitive information.”
The long-term risks for students include potential extortion using private academic struggles or disability accommodations, as well as fraudulent credit accounts opened in their names. “The data can reside on the dark web for years,” Connelly warned.
Although Canvas is back online, Connelly noted that full resolution “can take weeks or months” to properly vet networks and ensure criminals have been fully removed.
For students and parents, Connelly recommended immediately changing school-linked passwords, avoiding reused passwords across multiple systems, and enabling multi-factor authentication.