Canvas cyberattack knocks universities offline, forces exam cancellations

During finals season, a cyberattack on Canvas, the learning management system by ed-tech firm Instructure, disrupted coursework at universities across the US and potentially exposed data on millions of users.

What happened

The hacker group ShinyHunters claimed responsibility for breaching Instructure, the company behind Canvas, a platform used by more than 30 million active users for course content, assignments, and grades. On May 1, Instructure acknowledged a "cybersecurity incident perpetrated by a criminal threat actor." By May 2, the company said it had contained the situation but disclosed that names, email addresses, student ID numbers, and user messages may have been compromised. On May 8, Canvas went offline after users were redirected to a message from the hackers. Instructure confirmed the breach exploited a vulnerability in its Free-For-Teacher accounts and temporarily shut those accounts down to restore broader platform access. The hackers claim to have obtained data on 275 million individuals from nearly 9,000 schools and set a May 12, 2026 deadline for a settlement before threatening to leak the data.

The backstory

On May 3, ShinyHunters sent a ransom letter to Instructure claiming it held data from approximately 9,000 schools and warning the company that a May 6 deadline was approaching. Instructure did not publicly respond to those demands. By May 8, Canvas went offline mid-day during what the hackers characterized as retaliation for the company's failure to engage. The hackers' message referenced prior contact, "Instead of contacting us to resolve it they ignored us and did some 'security patches.'"

This wasn't Instructure's first encounter with the group. ShinyHunters claimed a prior breach of the company earlier in May, suggesting the Canvas attack was part of an escalating campaign.

Going deeper

The attack followed a pattern consistent with the group's methods, which is, data exfiltration first, then platform disruption as leverage. The group posted a ransom note with a list of affected schools and a deadline for settlement.

Their broader methodology, detailed during the 2024 sentencing of French member Sebastien Raoult, involves creating convincing fake login pages that mimic legitimate businesses and sending phishing emails to employees with links to those pages. Once credentials are captured, the group accesses company networks and third-party providers. The group operates through encrypted communication channels and has historically used dark web marketplaces to hawk stolen data. Even after law enforcement seizures, those forums have re-emerged, and the group has continued operating.

What was said

Instructure confirmed to TIME that it took Canvas offline "out of an abundance of caution" to investigate the breach. In its statement, the company said, "We have confirmed that the unauthorized actor exploited an issue related to our Free-For-Teacher accounts. As a result, we have made the difficult decision to temporarily shut down our Free-For-Teacher accounts. This gives us the confidence to restore access to Canvas, which is now fully back online and available for use."

Columbia University said it was "working actively with schools to minimize academic disruption, create alternative mechanisms to prepare for and deliver exams, and provide appropriate flexibility during this period."

Georgetown University advised users to remain "mindful of unsolicited emails or messages appearing to come from Canvas, particularly those requesting login credentials or personal information."

By the numbers

• 30+ million active Canvas users globally
• 275 million individuals' data allegedly stolen across nearly 9,000 schools
• May 12, 2026 deadline set by ShinyHunters before threatened data release
• At least 9 major universities confirmed outages or disruptions, including Harvard, Penn State, Columbia, Georgetown, University of Illinois, James Madison University, University of Michigan, University of Chicago, and the University of California
• ShinyHunters previously claimed 560 million Ticketmaster customer records in 2024
  
  

In the know

Canvas is a learning management system (LMS). A cloud-based platform that schools and universities use to host course content, assignments, grades, and communications between students and instructors. Because an LMS touches nearly every aspect of academic life, a breach doesn't just compromise personal data it also disrupts the academic infrastructure that exams, coursework, and grading depend on.

ShinyHunters is a loosely organized hacking group that emerged in 2020 and immediately launched a two-week breach spree, claiming to have hit more than a dozen companies and stolen over 200 million customer records in that window alone. The group uses the avatar of the "shiny" blue Umbreon Pokémon. David Tuffley, a cybersecurity expert from Griffith University described the group as "well-established" and noted they operate from highly encrypted channels, making geographic attribution difficult. "Even if one individual is apprehended, there's still many out there," he said. "Unfortunately, they are getting better organised all the time."

Why it matters

Finals season means even a brief outage forces universities to cancel exams, extend deadlines, and get alternatives. ShinyHunters has shown that they don't just steal data they weaponize the threat of releasing it. Their standard approach is to exfiltrate first, then use the data as leverage, and if ignored, escalate by disrupting the platform itself.

For students and faculty, the exposed names, email addresses, and student IDs create a ready-made targeting list for phishing campaigns, especially ones designed to look like official Canvas or university communications. Georgetown's warning to watch for suspicious emails requesting login credentials is well-founded because that is how ShinyHunters has historically monetized stolen data.

The bottom line

Universities should evaluate contingency plans for LMS outages and assess what data they share with third-party platforms. Students and faculty should change Canvas passwords, watch for phishing attempts exploiting the disruption, and check for any credential reuse across other platforms. As Matthew Warren of RMIT's Centre for Cyber Security Research noted of prior ShinyHunters attacks, "Once the data has been stolen from the organisation there is nothing that the organisation can do to protect the data." Prevention, through encryption, credential hygiene, and phishing training, is a good defense.

FAQs

What should I do if I'm a Canvas user?

Change your Canvas password, avoid clicking any unsolicited emails claiming to be from Canvas, and monitor your accounts for unusual activity.

Will ShinyHunters actually release the data if no settlement is reached?

The group has followed through on data releases in past breaches, so the May 12 deadline should be treated as a credible threat.

How did ShinyHunters get into Canvas?

The group exploited a vulnerability in Instructure's Free-For-Teacher accounts.