The widely used education platform Canvas suffered a major security breach this week, with the hacking group ShinyHunters claiming responsibility and threatening to publicly release stolen data unless affected institutions make contact by May 12. Students at thousands of universities and colleges across the United States and Europe found themselves locked out of the platform on Thursday, May 7, with some Canvas pages redirecting to a message posted directly by the attackers. Canvas, developed by Utah-based company Instructure, is used by schools and universities to manage assignments, grades, and course materials, and counts more than 30 million users worldwide.

ShinyHunters stated in its message that Instructure had been breached once again — describing it as a repeat intrusion — and accused the company of ignoring earlier communications and simply applying security patches rather than negotiating. The group had previously set a payment deadline that expired on Wednesday, and has now issued a fresh ultimatum. Among the US institutions confirmed as affected are Harvard University, the University of Pennsylvania, Duke University, UCLA, and the University of Nebraska, according to reports from their respective student newspapers. The breach is said to involve the data of millions of students, academic staff, and other education workers.

The impact extended well beyond the United States. In the Netherlands, the umbrella body Universities of the Netherlands confirmed that seven institutions were affected, including the University of Amsterdam, Vrije Universiteit Amsterdam, Erasmus University Rotterdam, Tilburg University, Eindhoven University of Technology, Maastricht University, and the University of Twente. Instructure responded by placing Canvas and related services in