Canvas outage after cyberattack disrupts thousands of schools nationwide

A cyberattack on Canvas rippled through classrooms and testing centers, cutting off a system schools use to manage assignments, grades, attendance and class messages just as students were preparing for finals. Penn State said no one had access to Canvas and that a resolution was not expected within 24 hours, while its Pollock Testing Center canceled tests scheduled for Thursday and Friday.

Instructure, the Salt Lake City company behind Canvas, disclosed a cybersecurity incident on May 1 and said it was working with outside forensics experts. The company later said Canvas was fully operational again and that it was not seeing ongoing unauthorized activity. But by May 7, several universities reported that access had been blocked by a ransom notice, and Instructure took Canvas offline again as the investigation intensified.

University notices said the incident affected thousands of institutions worldwide. The information involved appeared to include names, email addresses, student ID numbers and messages among users. Instructure said it had found no evidence that passwords, dates of birth, government identifiers or financial information were involved.

The disruption was not limited to one campus or one state. Reports named Penn State, the University of Wisconsin-Madison, Columbia University, UCLA, Northwestern University, the University of Chicago, the University of Illinois Chicago, the University of Illinois, Harvard and public school districts in Spokane, Washington. Baylor University said the problem was nationwide and that several universities had seen their Canvas access blocked.

Baylor also said Canvas supports learning at 41% of higher education institutions in North America, a concentration that helps explain why a single vendor outage could touch so many schools at once. Instructure urged customers to enforce multifactor authentication on privileged accounts, review admin access and rotate API tokens or keys where applicable. Baylor warned users not to click suspicious links or reply within the system until further notice, underscoring how campuses were forced into damage-control mode as classes, exams and communications were disrupted.

The breach has been linked to ShinyHunters, which claimed responsibility, according to university notices and reporting. CBS and AP reported that the group said nearly 9,000 schools worldwide were affected and threatened to leak data by Thursday and May 12, suggesting extortion efforts may still have been underway. The episode fit a broader pattern of attacks on education technology firms, following earlier breaches involving PowerSchool and Infinite Campus, and it exposed how dependent schools have become on one digital platform for daily operations.