A cybercrime group has launched a data extortion attack against Canvas, the learning management system used by thousands of educational institutions across the United States. The attackers defaced Canvas' login page with a ransom demand and claimed access to records from 275 million students and faculty members spanning nearly 9,000 schools and universities.
The attack disrupted classes and coursework at affected institutions nationwide. The threat actors demanded payment in exchange for not leaking the compromised data. Canvas is operated by Instructure, a major provider of education technology serving K-12 schools, higher education institutions, and corporate training programs.
The scale of this extortion threat represents a significant risk to educational operations and student privacy. If the attackers' claims prove accurate, the breach would expose personal information from millions of individuals, including names, email addresses, and potentially sensitive academic records. Educational institutions typically store student identification numbers, grades, course registrations, and contact information on learning management systems like Canvas.
Schools and universities face immediate operational challenges as students and staff cannot access coursework, assignments, grades, and other academic materials. The disruption occurs during active semesters, potentially affecting exam schedules, assignment deadlines, and academic progress tracking.
Educational institutions now face a difficult decision regarding the ransom demand. Law enforcement agencies, including the FBI and CISA, generally advise organizations not to pay ransoms, as doing so finances criminal operations and provides no guarantee that stolen data will not be published. However, schools operating under tight budgets may face pressure to resolve the situation quickly.
Instructure has not yet released detailed information about the attack vector or confirmed the extent of compromised data. Organizations using Canvas should monitor official communications from the company and implement their incident response procedures. IT administrators should assume that credentials and personal data may have been exposed and consider implementing password resets and enhanced monitoring for suspicious account activity.
The incident underscores the