Higher education has long drawn ransomware and data-extortion crews, but rarely has an attack on a single platform so thoroughly disrupted thousands of US schools at once. The widely used Canvas learning system was placed into "maintenance mode" on Thursday after its maker, education-tech giant Instructure, suffered a data breach and an extortion attempt by attackers using the ShinyHunters moniker.

The hackers had been advertising the breach and pressing for a ransom since May 1, but the situation turned urgent on Thursday when the Canvas outage hit schools mid-finals. Universities including Harvard, Columbia, Rutgers, and Georgetown warned students, and districts in at least a dozen states appeared affected. On their dark-web site, the attackers claimed the breach touched more than 8,800 schools, though the true scale remains unclear.

In an incident log that began May 1, Instructure CISO Steve Proud said the company had suffered "a cybersecurity incident perpetrated by a criminal threat actor," and that the exposed data for affected institutions included names, email addresses, student ID numbers, and platform messages. The status was marked "Resolved" on Wednesday, only for a new login issue Thursday to escalate into the maintenance-mode shutdown; service was restored for most users by late evening.

TechCrunch reported a secondary wave in which attackers defaced some schools' Canvas portals by injecting an HTML file; per The Harvard Crimson, Harvard's login page was altered to list allegedly affected schools and urge a settlement before May 12. The ShinyHunters name is tied to massive data dumps and the loose "Com" collective, though its current operators are unclear. Allison Nixon of Unit 221b said the activity appears related to a group sometimes called ScatteredLapsus$Hunters.