Harvard Canvas Goes Dark as ShinyHunters Demands Settlements From 9,000 Schools by May 12

Harvard University's Canvas learning portal went down Thursday afternoon after the cybercriminal group ShinyHunters listed the institution among thousands of schools caught up in a sweeping breach of Instructure, the Utah-based parent company of the Canvas learning management system. Canvas began redirecting Harvard users to a ransom message from the attackers around 3:30 p.m. local time, and by 4:30 p.m. both the web platform and the Canvas mobile app were inaccessible to roughly 25,000 students, faculty and staff. The university subsequently posted a notice that read "Canvas is currently undergoing scheduled maintenance."

ShinyHunters, which first claimed responsibility for the supply-chain attack on May 3, said in a public posting that it had compromised approximately 275 million records belonging to roughly 9,000 schools that use Canvas globally — including Harvard, MIT, the University of Pennsylvania, Oxford, and large numbers of U.S. K–12 districts. The group said the haul included "billions of private messages" containing what it described as "personal conversations." Instructure has confirmed that the affected data includes names, email addresses, student ID numbers and user-to-user messages, but has not yet quantified the breach independently.

The hackers set a hard deadline of end-of-day Tuesday, May 12, for affected schools to enter private negotiations or face having their data published in full. The University of Pennsylvania's student paper, The Daily Pennsylvanian, reported that more than 300,000 of its users were among those listed by the group. Harvard University Information Technology spokesperson Tim Bailey said the university was "actively investigating" the incident and that it was unclear precisely which Harvard data, if any, had been included in the leaked sample.

The breach is the second major incident at Instructure in less than two years and has reignited concern about the concentration of student data inside a single learning vendor. Inside Higher Ed reported that ShinyHunters' message to schools urged them to consult with cyber-advisory firms and to make contact privately rather than involve law enforcement. North Carolina school administrators told WRAL that several districts in the state lost access to Canvas during a critical end-of-year window for grading and exam administration.

Cybersecurity researchers tracking the group said the attackers exploited a third-party authentication path, allowing them to harvest tokens that effectively gave them administrative-level access to multiple Canvas instances at once. Instructure said it had revoked the relevant credentials, was rotating keys across all customer environments, and was working with federal investigators. School officials warned students and parents to be wary of phishing emails purporting to come from Canvas, Instructure or their own institution's IT help desk in the coming days.