Canvas just went down nationwide — and hackers are demanding ransom for 275 million students’ data

Millions of students woke up unable to access their coursework, grades, and assignments as Canvas—the learning management system used by nearly 9,000 schools and universities—went dark nationwide in what appears to be a coordinated ransomware extortion attack.

The attack represents one of the largest threats to K-12 and higher education infrastructure in recent memory. A cybercrime group defaced Canvas’s login page with a ransom demand, explicitly threatening to leak data belonging to 275 million students and faculty members unless the company pays. The disruption has already cascaded across classrooms, forcing institutions to scramble for alternatives and raising urgent questions about the security of centralized education platforms that now store sensitive personal information for nearly a quarter-billion people.

Canvas, owned by Instructure, is one of the most widely deployed learning management systems in North America. Teachers use it to post assignments, grade work, and communicate with students. Students rely on it to submit coursework, check grades, and access course materials. The platform’s ubiquity in education means that a successful attack doesn’t just disrupt one school—it ripples across entire districts and university systems simultaneously.

The defaced login page served as the attacker’s announcement mechanism, making the extortion demand visible to anyone attempting to access the platform. By choosing this high-visibility method, the cybercrime group ensured that the breach would be immediately noticed by thousands of institutions and millions of users. The scope of the threat—275 million individuals across nearly 9,000 educational institutions—suggests the attackers either gained access to Canvas’s central infrastructure or obtained a comprehensive database of user records from the platform.

Why Are Educational Platforms Such Attractive Targets?

The timing of the attack during the academic year maximizes disruption. Students cannot submit assignments or check grades. Teachers cannot post materials or communicate with classes. Universities and school districts that depend on Canvas for administrative functions—enrollment, transcript management, financial aid coordination—face operational paralysis. Many institutions have no immediate backup system ready to deploy at scale.

Research by the Government Accountability Office documents how ransomware attacks on K-12 schools have reported significant educational impact, with cybersecurity incidents disrupting learning across entire districts. The centralized nature of modern learning management systems amplifies this vulnerability exponentially.

What Data Is Actually at Risk?

For students, the immediate impact is straightforward: loss of access to their academic work. But the longer-term risk is more serious. If the attackers do release the data, 275 million individuals could see personal information exposed—names, email addresses, phone numbers, home addresses, enrollment records, grades, and potentially financial information linked to tuition or financial aid.

Educational records are particularly valuable on the dark market because they often contain verified identity information and can be used for identity theft, targeted phishing, or social engineering attacks against students and their families. Faculty members face similar exposure risks, along with the disruption to their teaching and research.

How Does Centralization Create Systemic Risk?

The attack also exposes a structural vulnerability in modern education infrastructure. As schools have consolidated on a handful of major learning management platforms, they’ve created single points of failure. A breach at Canvas affects nearly 9,000 institutions at once. A breach at a smaller, regional system might affect dozens. The centralization that makes administration easier also makes the system a higher-value target for attackers and creates systemic risk across the entire education sector.

Administrators at affected institutions must now contend with notification requirements, potential regulatory filings, and the operational nightmare of restoring service to thousands of classrooms simultaneously. The U.S. Department of Education has documented how cyber incidents in K-12 education range from data breaches to ransomware attacks that can paralyze entire school systems.

What Happens Next?

The ransom demand itself is a calculated pressure tactic. By publicly naming the volume of affected individuals and institutions, the attackers create reputational and operational urgency for Instructure. The company now faces a choice between negotiating with the cybercrime group, refusing to pay and risking the leak of 275 million records, or attempting to restore service while the attackers maintain leverage. Each option carries significant consequences.

Instructure has not yet released a public statement detailing the scope of the attack, the method of compromise, or their response strategy. The company’s silence during the active incident is typical—many organizations limit communication during ongoing extortion attacks to avoid amplifying the attacker’s demands or revealing information that could complicate recovery efforts.

As Canvas remains offline and students across the country face disrupted education, the incident serves as a stark reminder that even critical infrastructure serving hundreds of millions of people can be taken offline by a single coordinated attack. The coming days will reveal whether Instructure can restore service quickly, whether the attackers follow through on their threat to release data, and what this breach means for the future of centralized education platforms.