Instructors faced a fresh attack when hackers defaced Canvas login pages, following a data breach that exposed students’ names, emails and teacher‑student messages. ShinyHunters, the group behind the original leak, injected an HTML file into three school portals, turning login screens into a ransom message.

The notice demands a settlement before stolen data—believed to cover 231 million people across nearly 9,000 schools—goes public on May 12. Instructure’s Canvas site shows intermittent outages and a “scheduled maintenance” banner, while the company has yet to comment. The move heightens pressure on educators to comply and prevent unintended disruption in learning environments.

ShinyHunters claims this is a second, separate breach, but their tactics mirror past campaigns: hack, leak and extort. The group’s public leak site publishes stolen files to coerce victims into paying. With this latest defacement, the attackers aim to raise stakes, forcing Instructure and its clients to negotiate to avoid data leakage and financial loss.

The incident underscores the fragility of cloud‑based education platforms when exposed to coordinated cyberattacks. Schools relying on Canvas must review access controls, monitor for unauthorized script injections, and maintain robust incident‑response plans. Until Instructure resolves the outage and addresses the ransom threat, administrators should treat the platform as potentially compromised in the short term unless.