Canvas hacked: ShinyHunters attack exposes alarming new ransomware trend

The cybersecurity world is reeling from a massive data breach at an educational tool Canvas orchestrated by the notorious hacking group ShinyHunters, causing significant disruption to thousands of schools and universities across the United States.

Canvas is usually used by schools, colleges and universities for grades and other class materials. In the aftermath of being hacked, the students were unable to gain access to the site beginning on Thursday afternoon.

As per hackers’ claims, they have access to 280 million student and staff records from 8,809 colleges, school districts and online educational platforms. Universities like Harvard, Stanford and thousands of other institutions have been hit the worst.

The downtime occurred during finals week for many students, complicating grading, exams outcomes and assignment submissions.

Soon after the complaints regarding Canvas outage began to pour in on social media platforms, ShinyHunters released a statement stating they have hacked the servers belonging to Canvas’s parent company Instructure.

"Instead of contacting us to resolve it they ignored us and did some 'security patches,'" the hackers said.

"If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately...to negotiate a settlement,” the statement read.

Scale of Canvas data breach

As of late Thursday, Instructure confirmed a cybersecurity incident involving unauthorised access to users' data. According to Instructure’s CISO, the breached data includes: student names, email addresses, student ID numbers and internal messages exchanged on the Canvas platform.

According to the parent company, they have placed affected sites in maintenance mode and are investigating the issue.

"We anticipate being ​up soon, and will provide updates as soon as possible," the company said on ‌its ⁠website.

A new ransomware trend

While the initial headlines focused on the staggering volume of compromised user data, it has also revealed a far more ominous development marked by the emergence of a terrifying new ransomware trend that could redefine digital extortion.

In the recent cyber attack, the hackers demanded a ransom to prevent the leak of sensitive information. They also threatened to sell data online if the ransom is not paid by May 12.

In standard ransomware attacks, the focus is usually placed on data encryption and financial extortion; the breach of a major educational platform like Canvas highlights a paradigm shift toward “systematic vulnerability” and “human-centric exploitations.”

ShinyHunters attack also shows weaponization of education continuity, making the academic progress of millions hostage. As a result of breach, hundreds of thousands of students have been unable to access course material, assignments, and grades.

Kean University junior Dihanel Antonio shared his ordeal, “Just as I was about to start (my last final), the website crashed. It’s cutting into my time that I have left to submit my assignments.”

Similarly, the Canvas hack also exposes the data sensitivity beyond credit cards or finances. The hackers could gain access to students’ behavioural data, years of proprietary research and unpublished research works.

Once considered as a “low value” target in the cybersecurity landscape, the recent crippling of the educational tool underscores a massive issue where the offenders can cause nationwide disruption.