Canvas outage hits college finals after cyberattack, disruption ripples

Canvas, the online platform used by many colleges and universities to manage course materials and grades, went down during the final-exam period after an outage tied to a cyberattack disrupted access for students and instructors nationwide, according to reporting by the Associated Press. By late Thursday, Instructure, the parent company of Canvas, said the platform was available again to most users, though some schools continued to restrict access while they assessed the security threat.

The disruption landed in the middle of a high-stress period for many campuses that depend on Canvas not only for assignments and notes but also for grades, messaging between students and instructors, and course discussions. The platform also serves as a venue for quizzes, exams, and the submission of final projects and papers on deadline, meaning an outage can directly interfere with the exam workflow rather than merely slowing ancillary tasks.

As the incident unfolded, the hacking group ShinyHunters claimed responsibility for the breach, according to Luke Connolly, a threat analyst at the cybersecurity firm Emsisoft. Connolly said that ShinyHunters described itself on a page listing its targets and that the group has been linked to other large-scale cyberattacks, including one involving Ticketmaster. Instructure and Canvas also faced uncertainty as some campuses weighed how quickly to restore access while reviewing potential vulnerabilities tied to the platform.

Some schools responded by adjusting exam schedules. The University of Massachusetts Dartmouth said it would postpone exams scheduled for Friday and Saturday to give students time to review course materials that would not have been accessible during the shutdown. The University of Illinois postponed all exams scheduled for Friday, Saturday or Sunday for all classes, regardless of whether the courses used Canvas.

Other districts continued limited access even after Canvas returned for most users. Montgomery County Public Schools in Maryland said it would continue to block students and teachers from using Canvas on Friday while it worked to better understand the full impact of the incident and any potential vulnerabilities involving information connected to the platform.

The outage also raised questions about student data privacy. Steve Proud, Instructure’s chief information security officer, said in an update shared May 2 that the company’s investigation showed no evidence that passwords, dates of birth, government identification or financial information were compromised, though the breach appeared to involve student ID numbers, email addresses, names and messages on the Canvas platform.

Even with access restored, cybersecurity experts urged impacted students and educators to be alert to possible follow-on attacks such as phishing. Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, warned that attackers could impersonate a school district and send malicious messages prompting users to reset their Canvas password.

Steinhauer said, “Be very suspicious of any inbound messages,” and added that caution was especially important when urgent action is requested. Experts also framed major incidents as a reminder to revisit basic “cyber hygiene” steps, including using hard-to-guess passwords, enabling multi-factor authentication when possible, and monitoring online accounts for suspicious activity. The Federal Trade Commission also noted that nationwide credit bureaus—Equifax, Experian and TransUnion—offer free credit freezes and fraud alerts.

MSI previously reported that Canvas returned online after the cyberattack disrupted finals for students at thousands of schools in MSI coverage from May 9.