Schools and universities across the United States were thrown into disarray on Thursday after a cyberattack knocked the Canvas online learning platform offline just as students were sitting final exams. Parent company Instructure said Canvas was back online by Friday morning, having temporarily pulled it after detecting unauthorized activity on its network.

Instructure said the intruder was the same actor behind a data breach it had disclosed a week earlier. The exposed information included user names, email addresses, student ID numbers, and messages exchanged on the platform; the company said it had no indication that passwords, dates of birth, government identifiers, or financial details were involved. A ransomware crew using the ShinyHunters name claimed responsibility on its dark-web site and alleged the haul covered 275 million people tied to 8,800 schools.

As students tried to prepare for exams, Canvas login pages displayed a ransom demand claiming Instructure had rejected earlier extortion attempts and urging individual schools to negotiate directly. The disruption forced institutions to scramble: the University of Illinois reportedly postponed finals and assignments across the weekend, the University of Massachusetts Dartmouth rescheduled or extended due dates, and the University of California system issued directions to its campuses.

Canvas is not the first learning platform hit this way — last year PowerSchool, which serves some 60 million students across 16,000 K-12 schools, disclosed a breach exposing years of sensitive records. ShinyHunters has operated for years as a loose collective; in 2024 it stole a trove of credentials from cloud provider Snowflake and used them in follow-on breaches of Snowflake customers, including Ticketmaster.