Already a subscriber? Make sure to log into your account before viewing this content. You can access your account by hitting the “login” button on the top right corner. Still unable to see the content after signing in? Make sure your card on file is up-to-date.

A major US-based educational platform used by millions of students has been restored after a cyberattack by an international hacking group.

Some shit you should know before you dig in: If you’re unaware, Canvas is a web-based learning platform that serves as a central hub for course content, assignments, grades, and communication between teachers and students. Roughly 30 million people use the platform worldwide, spread across nearly 9,000 institutions, with affected schools spanning the US, Netherlands, Sweden, Australia, and the UK.

What’s going on now: Instructure (the parent company that operates Canvas) acknowledged the first breach, calling it a “cybersecurity incident perpetrated by a criminal threat actor” and saying by May 2 that the situation had been “contained.” Instructure said the breach may have exposed user info such as names, emails, student ID numbers, and direct messages between users on the platform. The hacking group claiming responsibility is ShinyHunters, a cybercrime syndicate formed around 2019-2020 that’s been linked by cybersecurity researchers to a string of high-profile data thefts including Ticketmaster, AT&T, Rockstar Games, and Salesforce.

This comes after ShinyHunters posted a ransom letter on May 3 (shared via the ransomware tracking platform Ransomware.live) claiming it had breached data on 275 million individuals from nearly 9,000 schools and giving Instructure a May 6 deadline to reach out. The group then went a step further Thursday, defacing Canvas login pages at several schools by planting an HTML file that swapped the standard sign-in screen for a ransom message claiming credit for the attack.

ShinyHunters claims its total haul comes to 3.5 terabytes, with the stash reportedly made up of names, emails, student ID numbers, and private user messages, with the group claiming access to “several billions of private messages.” Instructure spokesperson Brian Watkins told TechCrunch the company immediately took Canvas offline “out of an abundance of caution” once it discovered the defaced login pages, and confirmed the same hackers were behind both incidents.

The FBI confirmed it was “aware of a service disruption” impacting a learning platform and said it had teams working across a number of states to support affected users, though the agency stopped short of naming Canvas in its statement. The bureau told affected students and staff to hold off and follow whatever direction their schools put out, and to ignore anyone reaching out who claims to have their personal info. “By receiving a message, that does not necessarily mean your personal information has been compromised.”