Canvas returned for many students and schools on Friday after a cyberattack disrupted access to the online learning platform during the final-exam period, throwing course schedules and grading processes into disarray. Tens of thousands of students studying for exams worldwide regained access after the outage earlier knocked the system offline, according to the Associated Press.

Instructure, the company behind Canvas, said in an update late Thursday that the system was available for most users. In a statement Friday, Instructure said it discovered that the unauthorized actor involved in an “ongoing security incident” had made changes to pages that appeared when some students and teachers were logged in. The company said it took Canvas offline “to contain access and further investigate,” and later restored access for most users.

Instructure also said it confirmed that the unauthorized actor exploited an issue related to its Free-For-Teacher accounts, and it temporarily shut down those accounts. The company did not say whether a ransom was paid, and it did not provide details about what happened with any compromised data.

Students described sudden panic as Canvas became unavailable. Elizabeth Polo, a junior in a creative writing class at the University of Maryland, said a classmate told her late Thursday afternoon that “Canvas got hacked” after a message from a hacking collective appeared on her computer. Polo said her class went into confusion as her professor tried to calm students. She said Canvas later removed that message and replaced it with a statement that the site was undergoing scheduled maintenance.

After the outage, some students were still able to reach Canvas intermittently as finals deadlines hit. Polo said she was able to submit an assignment on Canvas just before 1 a.m. Friday, but she said she worried that her personal data may have been compromised.

Across universities and colleges, instructors and administrators scrambled to keep courses moving as Canvas functions they rely on for assignments and grades were disrupted. At the University of New Mexico, journalism student Gwyneth Doland said the outage arrived as deadlines for semester-long projects were due. Doland said instructors extended deadlines and noted that “none of these platforms are fail-proof,” a lesson that she said the incident reinforced for students.

Other schools pushed back exam timetables and grading milestones. The University of Texas at San Antonio announced it was pushing back finals scheduled for Friday, and Rod Uzat, a professor at the University of Texas Permian Basin, said he pushed back posting grades by a day. At Wayne State University, computer science professor Rhongho Jang said he was finalizing grades for a class of 94 students when the system went down and that he keeps paper copies of exams, but most semester assignments—which count for half of the final grade—are completed online. Jang said if those assignments and grades could not be recovered, he would have given students full credit, explaining, “We cannot judge based on the data we don’t have.”

Security analysts said the timing and the mechanics suggested an intentional disruption rather than a simple technical glitch. Huseyin Can Yuceel, security research lead at Picus Labs, said the timing appeared designed “to inflict pain as much as possible,” so attackers could extort money. Joseph Blankenship, vice president and research director at Forrester, said the incident illustrated “concentration risk,” arguing that education becomes vulnerable when only one or two key providers host essential technology.

Threat analysts also addressed what the incident likely involved. Luke Connolly, a threat analyst at the cybersecurity firm Emsisoft, said a hacking group called ShinyHunters claimed responsibility and that it posted that nearly 9,000 schools worldwide were affected, along with claims about access to private messages and other records. Allan Liska of Recorded Future said there was “no indication at this point that any ransom has been paid,” and that it likely was still early for payment given how such negotiations typically unfold.

Connolly described ShinyHunters as a loose affiliation of teenagers and young adults based in the U.S. and the United Kingdom, and said the group has been linked to other attacks, including those involving Live Nation’s Ticketmaster subsidiary. Liska said ShinyHunters, or an offshoot, was also behind a previous smaller breach of Instructure, and he said such smaller intrusions can reveal weaknesses later exploited for leaks.

Instructure said Canvas was disrupted when the company took the platform offline during the investigation, and then moved it back online for most users. As students and institutions rebuilt access, the incident underscored the stakes of relying on major external platforms to manage daily academic operations during the period when deadlines and grades are most critical.