Cyberattack Shutters Canvas, Disrupting Finals and Raising Data Breach Fears

Canvas went offline Thursday, forcing students and teachers across the United States to scramble for grades, assignments, lecture videos and other class materials in the middle of finals season. The disruption hit one of the country’s most widely used learning systems, with Instructure saying Canvas has more than 30 million active users.

Instructure said the outage stemmed from a cybersecurity event carried out by a criminal threat actor and that the unauthorized actor exploited an issue tied to its Free-For-Teacher accounts. The company later said it had temporarily taken parts of Canvas offline out of an abundance of caution while it investigated the breach.

The company also disclosed that names, email addresses, student ID numbers and messages among users could have been among the information obtained. ShinyHunters claimed responsibility for the attack, and a threat analyst said the group posted that nearly 9,000 schools worldwide were affected. Screenshots reportedly showed the hackers began threatening on Sunday to leak the data, first setting a Thursday deadline and then May 12, a sign that extortion talks may have been underway.

Universities moved quickly to assess the damage. The University of Iowa College of Public Health described the episode as a “national-level cybersecurity incident.” Virginia Tech said it knew the outage could affect final exams and other end-of-semester activities, underscoring how deeply the platform was woven into daily academic operations.

The attack fit a pattern that has become increasingly familiar to school systems nationwide. Districts and universities store large volumes of sensitive digitized records, making them attractive targets for criminals seeking leverage, ransom or stolen personal data. Prior major attacks have hit Minneapolis Public Schools and the Los Angeles Unified School District, and the Canvas breach bore a striking resemblance to the PowerSchool incident that previously rattled schools and families.

The immediate damage was operational: class notes were unreachable, assignments were delayed, and final exam plans were thrown into doubt. The larger risk is structural. When one private platform sits at the center of so many schools’ grading and communication systems, a single breach can ripple from classrooms to district offices in minutes, exposing how much of K-12 education now depends on a handful of vulnerable digital gates.