New York — 

A cyberattack shut down an education platform used by universities and K-12 schools across the US Thursday, depriving students and teachers of essential classroom materials — at a time when many are taking or preparing for final exams.

Canvas, a popular, cloud-based digital hub for classrooms, has more than 30 million active users globally, with more than 8,000 institutions as customers, parent company Instructure says on its website.

Large public school systems and top universities like Columbia, Princeton, Harvard and Georgetown reported a ransom note signed by a hacking group had appeared on the homepage of their schools’ Canvas sites Thursday.

The hack came after the group believed to be behind it warned Instructure in a ransom note to “pay or leak,” saying it had accessed data from millions of users, including students, teachers, and staff.

The FBI has mobilized resources in multiple states to assist victims of the hack, a source familiar with the matter told CNN.

The FBI confirmed Friday the agency was aware of the platform service disruption and advised concerned students and faculty to wait for official guidance from their school “regarding the scope of the incident and the nature of any affected data.”

The agency warned impacted individuals to be wary of potential scammers claiming to have their data.

“By receiving a message, that does not necessarily mean your personal information has been compromised,” the FBI statement said, explaining scammers often exaggerate or lie about their access to data in order to get money from victims.

Instructure said Friday morning Canvas was “fully back online and available for use.” Multiple universities and school districts throughout the country reported their Canvas pages were back up and running on Friday, though some schools had already extended deadlines and changed finals schedules because of the hack.

Here’s what we know.

A University of Washington student who tried to log into Canvas around noon Thursday was greeted by a message from the hacking group ShinyHunters, which claimed to have “breached” the platform’s parent company, according to a screenshot obtained by CNN.

The note, reported by different student news outlets, demanded ransoms to prevent data leaks from the platform.

A student at the University of Pennsylvania said he was logged out of his Canvas account while studying for finals. Professors had to scramble to send class materials in other ways, the student said.

Universities across the country, including Columbia University, Rutgers, Princeton, Kent State, Harvard and Georgetown issued statements alerting students to the hack impacting institutions nationwide. School districts in California, Florida, Georgia, Oklahoma, Oregon, Nevada, North Carolina, Tennessee, Utah, Virginia, Texas and Wisconsin also reported being affected.

This was the second school data breach claimed by ShinyHunters this month. In Thursday’s ransom note, the group claimed it had hacked Instructure “again” and faulted the company’s response to the previous attack: “Instead of contacting us to resolve it they ignored us and did some ‘security patches.’”

On May 1, Instructure said it “experienced a cybersecurity incident perpetrated by a criminal threat actor.” The company said the breach had been “contained” the next day but usernames, email addresses, student ID numbers and communications from some institutions appeared to have been exposed.

ShinyHunters claimed in a ransom note shared on May 3 by Ransomware.live, which tracks ransomware attacks and groups, that it had breached 275 million individuals’ data and had access to “several billions of private messages,” giving a May 6 deadline for Instructure to reach out.

In a note Thursday, the hacking group gave a May 12 deadline for impacted schools “to negotiate a settlement.”

During the Canvas interruption, Instructure said on Thursday it put the platform in “maintenance mode” as it investigated the issue. Later that night, it announced Canvas was available again “for most users.”

On Friday morning, Instructure announced an “unauthorized actor” exploited an issue related to the company’s Free-For-Teacher accounts.

“As a result, we have made the difficult decision to temporarily shut down our Free-For-Teacher accounts. This gives us the confidence to restore access to Canvas, which is now fully back online and available for use,” the company said in a statement.

Cyberattacks on educational platforms are not new. Software provider Finalsite suffered a ransomware attack in July 2022. The websites of about 5,000 schools were impacted.

During the pandemic, ransomware attacks interrupted remote learning for a number of schools in the US, including an incident that forced Baltimore County Public Schools to temporarily close in November 2020.

The risk for students and faculty impacted by the attack, retired FBI special agent Richard Kolko says, is they could be victims, “not only today, but later.”

“You need to follow up…because they have this information on these students now and a couple (of) years from now, they may use some of that information to attack them,” Kolko told CNN’s Boris Sanchez.

The FBI has advised anyone who may have been affected by Thursday’s cyberattack to not engage with anyone who claims to have their data, including by responding to demands or sending payments.

“We encourage individuals to be cautious of unsolicited emails, calls, or texts claiming to be from your school, the (learning management system) provider, or law enforcement and to verify the contact through known channels before responding,” the statement added.

Little is publicly known about the hacking group that claimed responsibility for the Canvas outage, but cybersecurity researchers and federal authorities have linked the ShinyHunters name to several instances of high-profile data theft.

The group claimed responsibility for hacking Ticketmaster and attempting to sell user data on the dark web in 2024, CNN previously reported.

Earlier this year, Mandiant, a cyber-intelligence firm owned by Google, reported an increase in activity consistent with prior “ShinyHunters-branded extortion operations,” saying the attackers use sophisticated voice phishing and fake, company-branded login pages to harvest employee credentials before stealing sensitive data from cloud-based platforms for ransom.

In 2024, the US Department of Justice announced the sentencing of a member of what prosecutors described as a notorious international hacking crew tied to the ShinyHunters name. Authorities said a user operating under that moniker posted stolen data from more than 60 companies for sale on dark web forums and at times threatened to leak sensitive files if victims did not pay.

Court documents tied to the member who was sentenced show US-based victims included technology, entertainment, communications, clothing and fitness companies, as well as a video game developer.

How students and schools reacted

Melanie Topchyan, a senior at the University of California, Riverside, said she missed a quiz Thursday because of the outage and worried about staying on track. She said she has a midterm next week for a demanding course and relies on Canvas to revisit lectures and notes.

“It is a little bit of a freakout,” she told CNN.

Anish Garimidi, the University of Pennsylvania junior who was logged out of Canvas while trying to study, said he immediately felt a surge of anxiety.

“The biggest cause of fear and anxiety in me is that I was deprived of significant resources to study and do the best,” Garimidi told CNN.

For many students, the disruption landed at the worst possible moment. Georgetown sophomore Minhal Nazeer had returned home to Kentucky because all of her remaining coursework was online through Canvas.

But while some of her classmates were “freaking out,” she saw an upside in the extra time they got after professors extended deadlines.

“I was already in a good spot to finish all my papers, so I’m not too bothered by it, but I do see it is helping me a little because I have gotten some extension. I just have more time to look over my things,” she said.

A Columbia University senior, who declined to be named, said the outage came at the “most inopportune time” — just as many students were shifting from celebratory end‑of‑year events to serious exam preparation.

That was particularly difficult, he said, for those who had only just begun compiling notes and study guides after having “pushed off the thought of having to take exams in the following week.”

James Madison University moved some exams scheduled for Friday to Wednesday, the school said in an announcement.

The episode has underscored how deeply embedded Canvas has become in academic life at many institutions, not only as a submission portal but as a central communications tool.

Kent State said Friday it is “very concerned” about further disruptions as finals conclude.

The university said the disruption also affected areas like tuition billing and financial aid. “We are currently in contingency planning with all of those areas,” the statement said.

At the Massachusetts Institute of Technology, Allison Park, a junior, said professors were scrambling to locate students’ email addresses after losing access to Canvas’ announcement feature.

“The fact that this one website was the link between teaching staff and students outside of class — I didn’t realize how big of a dependency we had on it until they were scrambling to find our emails,” she said.

Liane Xu, another MIT student, said her courses rely on Canvas to collect assignments and manage grading. Although some professors host course materials on separate websites, she said critical resources, lecture videos, notes and study documents are often stored within the platform.

As the semester draws to a close, she said, access to those materials is essential.

“It’s unfortunate and we’re sort of the victims of this,” said the Columbia senior.

This story has been updated with additional information.