Canvas learning platform restored after cyberattack disrupts schools worldwide

2026-05-10 By Main Street Independent

Instructure, the company behind the Canvas learning management system, took the platform offline late Thursday after discovering that an unauthorized actor had exploited a Free-For-Teacher account to breach the system and posted messages from a hacking collective on user screens.
The hacking group ShinyHunters claimed responsibility, posting online that nearly 9,000 schools were affected and that it had accessed billions of private messages and other records, according to threat analyst Luke Connolly of Emsisoft.
Students and faculty at institutions including the University of Maryland, the University of New Mexico, and the University of Texas at San Antonio reported chaos, with exams rescheduled and assignment deadlines extended.
Cybersecurity experts stated that the education sector is a prime target for attackers because of the concentration of sensitive data and reliance on a small number of platforms, and that the timing during finals was likely intended to maximize disruption and extortion leverage.

The Canvas online learning platform, used by thousands of schools worldwide, went dark Thursday afternoon after a cyberattack compromised the system, leaving students and professors scrambling during the critical final exam period. Instructure, the Salt Lake City-based company that operates Canvas, said in a statement Friday that it had discovered an unauthorized actor had made changes to pages displayed to users and took the platform offline “out of an abundance of caution to contain access and further investigate.”

The attack hit just as semester-long projects and finals were coming due. Elizabeth Polo, a junior at the University of Maryland, was in a creative writing class when a classmate shouted “Canvas got hacked,” and a message from a hacking collective flashed on her computer screen. “Our whole class just like was like freaking out about it,” Polo said. “Our poor professor was trying to get everyone to calm down but it was just kind of chaos.”

Gwyneth Doland, a journalism professor at the University of New Mexico, recalled that her students “were a little hyperventilating” as a deadline for major projects arrived. Doland extended the deadlines. “None of these platforms are fail-proof,” she said. “I’m glad that they got that lesson.” The University of Texas at San Antonio pushed back finals scheduled for Friday, and at the University of Texas Permian Basin, professor Rod Uzat delayed posting grades by a day.

Instructure said the attacker exploited an issue related to its Free-For-Teacher accounts, which the company has temporarily shut down. It did not disclose whether a ransom had been paid or what happened with compromised data.

The hacking group ShinyHunters claimed responsibility, according to Luke Connolly, a threat analyst at the cybersecurity firm Emsisoft. Connolly said ShinyHunters posted online that nearly 9,000 schools worldwide were affected and that billions of private messages and other records had been accessed. The message that appeared on students’ screens urged individual schools to negotiate directly with the group and threatened to leak data if they did not. Canvas later replaced that message with a notice saying the site was undergoing scheduled maintenance, Polo said. Just before 1 a.m. Friday, she was able to submit an assignment, but she now worries personal data was compromised.

The timing was no accident. “Timing is everything, because they want to inflict pain as much as possible, so they can extort money out of it,” said Huseyin Can Yuceel, security research lead at Picus Labs.

Digital reliance has made schools prime targets. “What it boils down to is concentration risk,” said Joseph Blankenship, a vice president and research director at Forrester. He noted that any sector relying on one or two key providers is especially vulnerable. Allan Liska of the cybersecurity firm Recorded Future said there was no indication a ransom had been paid. “It likely is still a little too early for a ransom to have been paid. You know, normally these negotiations kind of drag on for a while,” Liska said.

Rhongho Jang, a computer science professor at Wayne State University in Detroit, was finalizing grades for a class of 94 students when Canvas went down. He keeps paper copies of student exams, but all semester assignments—half the final grade—live online. If those assignments and grades could not be recovered, Jang said he would give his students full credit. “I didn’t want to penalize them,” he said. “We cannot judge based on the data we don’t have. The final responsibility is still on the server.”

ShinyHunters is described as a loose affiliation of teenagers and young adults based in the U.S. and the United Kingdom, and the group has been tied to other attacks including Live Nation’s Ticketmaster subsidiary, Connolly said. Liska noted that ShinyHunters, or an offshoot, was behind a previous smaller breach of Instructure, a leak that may have exposed weaknesses later exploited. Yuceel compared it to a leak in a boat: “You fixed it, but you already have the water in the boat.” By Friday morning, Canvas had restored service for most users, but the cleanup and investigation are ongoing.

Machine-readable details

Article metadata

Published: 2026-05-10
Topic tags: computing and information technology, education, disaster
Primary entities: Canvas (Instructure), ShinyHunters, Emsisoft, U.S. higher education
Themes: Cyberattack, Education technology, Data breach, School cybersecurity
Framework version: 1.3.0
Generated: 2026-05-29T14:04:55Z
Consensus floor: v0.3.0
Mindspec: v0.3.0