A cybercrime group launched a data extortion attack against Canvas, the education platform used by nearly 9,000 institutions, disrupting classes and coursework across the United States. The attackers defaced the login page with a ransom demand, threatening to leak data from 275 million students and faculty members.
Canvas, a widely-used learning management system serving schools and universities nationwide, experienced significant disruptions as the breach unfolded. The attack specifically targeted the platform's login infrastructure, preventing legitimate users from accessing coursework, assignments, and course materials.
The threat actors displayed a ransom message on Canvas's authentication page, claiming access to student and faculty records across thousands of educational institutions. The scale of the threatened data exposure—275 million individuals across nearly 9,000 schools—represents one of the largest potential educational data breaches in recent history.
Data extortion attacks combine system compromise with blackmail tactics. Attackers threaten to publicly release sensitive information unless victims pay a ransom, creating urgency for institutions handling confidential student records, grades, and personal information.
The disruption affected classroom operations on a broad scale, with students unable to submit assignments and instructors unable to access student work or course materials. Many institutions depend on Canvas for core academic functions, making extended outages particularly damaging to academic schedules.
Canvas is operated by Instructure, a major educational technology company that serves K-12 schools, higher education institutions, and corporate training programs. The platform hosts millions of courses and serves as a central hub for online and hybrid learning environments.
Schools and universities have increasingly relied on centralized platforms for learning management, making them attractive targets for large-scale extortion attacks. The incident highlights the security risks concentrated in widely-adopted educational software systems.
Details regarding the attackers' identity, timeline of the breach, and whether ransom negotiations have begun remain unclear. Educational institutions are typically advised against paying ransoms, as doing so funds criminal operations and provides no guarantee of data deletion.
Response efforts are ongoing as institutions work to restore full system access and assess the extent of any data compromise.
Israeli cybersecurity firm Check Point has released security updates for a critical VPN vulnerability exploited in active zero-day attacks. The flaw affects Remote Access VPN and Mobile Access deployments and has been linked to the Qilin ransomware group.
Attackers can exploit three chained vulnerabilities in Ubiquiti's UniFi OS server to execute remote code with root privileges without authentication. The flaws have already been patched.
Gogs has released a security patch for a critical zero-day vulnerability that enables remote code execution on exposed instances. The flaw allows attackers to compromise servers and access all repositories, including private ones.
Meta's WhatsApp has detected new spyware attacks linked to NSO Group, the Israeli surveillance firm behind the notorious Pegasus malware. The company disrupted a phishing campaign targeting its users, marking another violation of existing court orders against NSO.