Canvas Hacked
The cyberattack on Canvas has been linked to the hacking group ShinyHunters, which reportedly left ransom demands on affected university systems. (Stock photo) Tima Miroshnichenko/Pexels

Universities brace for the possibility of dark web leaks after hacking group ShinyHunters claimed responsibility for Canvas data breach.

As educational institutions worldwide scramble to identify the extent of the damage caused by the Canvas hack, students are equally concerned that the breach might have compromised their personal information and private messages.

The ShinyHunters hacking group threatened to leak sensitive data of up to 200 million users across 9,000 educational institutions worldwide unless a ransom is paid.

Canvas Hacked By Bad Actors with Criminal History

Ed-tech company Instructure reported the cybersecurity incident happened on 1 May, describing it as an unauthorised access by a criminal threat actor previously involved in breaches at Ticketmaster, Google, and Ivy League universities.

ShinyHunters also allegedly infiltrated K-12 LMS Infinite Campus in March, as well as publishing company McGraw Hill in April.

Shortly after Instructure confirmed the breach, ShinyHunters posted a 'pay or leak' ultimatum with a deadline set on 6 May, according to Inside Higher Ed. The group claimed to have exfiltrated 3.65 terabytes of data including names, email addresses, student ID numbers, and user messages from Canvas LMS.

'This breach follows a clear pattern we've been watching for the last 18 months,' cybersecurity solutions expert Doug Thompson told the outlet. 'Instead of targeting individual campuses, attackers are moving up the data supply chain to the platforms that sit underneath thousands of institutions at once.'

'It's the math of a bank robber who just figured out where the armoured truck stops,' he added. 'Why hold up a hundred branches when the truck visits all of them? The real risk now is downstream. With access to real names, email addresses and even teacher-student messages, the next wave of phishing will not be generic. It will reference real courses and real conversations, which makes it far more likely to succeed.'

How Hacked Data Makes It to the Dark Web

Hackers like ShinyHunters may leak data to the dark web using Tor, a browser designed to maximise its users' online privacy. This allows access to leak sites and forums with anonymity. They often package stolen credentials, emails, financial details, or databases into 'combo lists' or 'fullz' files, posting samples to prove authenticity before full dumps.

Leak sites operated by groups like ransomware gangs serve as extortion hubs, where data appears if ransoms are ignored or go unpaid. Interested parties purchase bundle packages using cryptocurrency, and the data is then resold via Telegram channels or paste sites, evading detection via encryption and .onion domains.

The victims' data are then used to fuel criminal activity, including blackmail, targeted scams, and account takeovers.

Universities Urge Vigilance Against Cybercriminals

ShinyHunters escalated the threat by defacing Canvas login portals for hundreds of colleges, displaying messages claiming responsibility for the breach and warning of data release if ignored. Beyond conducting their own internal investigations, universities have warned their students and staff to be extra cautious about impersonators.

'Be alert to unsolicited emails or messages appearing to come from Canvas or your institution, particularly any requesting login credentials or personal information,' urged Brian Sandoval, president of the University of Nevada, Reno. Columbia and Rutgers universities have issued similar alerts.

Instructure's Chief Information Security Officer, Steve Proud, attributed the breach to a vulnerability in company systems, which he said had already been resolved. The company revoked privileged credentials, rotated encryption keys, and restored most Canvas services. He said the system has been restored to full operational status as of 6 May.

Writer's pick