Harvard Canvas stays online as Instructure breach hits schools worldwide

Harvard students headed into finals week kept access to Canvas even as a breach at the platform’s parent company spread across schools worldwide, turning a cybersecurity incident into an academic disruption with real classroom consequences. Harvard University Information Technology said at 2:25 p.m. on May 7 that Instructure had reported a contained incident, that the problem was not specific to Harvard, and that the Canvas platform remained operational with no other Harvard systems affected.

The wider incident looks far larger than a single-campus outage. Reporting tied to the breach says the ShinyHunters group claimed roughly 275 million records were stolen and circulated a list of 8,809 school districts, universities and online education platforms it said were affected. Those counts reportedly ranged from tens of thousands of records to several million per institution, a scale that underscores how much student, staff and alumni data sits inside a small number of education technology vendors.

Instructure said on its status page that the confirmed security incident was resolved by May 6 and that Canvas was fully operational, with no ongoing unauthorized activity. The company said it had been working with outside forensics experts and had already taken steps to contain the incident. It also urged customers to enforce multifactor authentication on privileged accounts, review administrative access and rotate API tokens or keys where appropriate, a reminder that the most immediate defense after a vendor breach is often to lock down the credentials already in circulation.

The timing made the episode especially sensitive at Harvard. The university’s calendar for Thursday, May 7 listed the final examination period, when students rely on course pages, quizzes, study materials and grading portals to finish the term. At schools caught in the wider blast radius, students reported losing access to those core functions even when no campus network had gone down, showing how a software vendor outage can interrupt teaching and assessment without touching a university’s own servers.

Harvard said it was working with Instructure to understand any specific impact to the university. The University of Memphis said Instructure disclosed the breach on May 1, and universities including the University of Minnesota were among the many institutions drawn into the broader fallout. The episode follows Instructure’s earlier disclosure in September 2025 of a social-engineering attack involving its Salesforce instance, when the company said no Instructure products or product data were accessed. Together, the two incidents show how higher education’s dependence on outside software vendors has become a standing operational risk, especially when attackers strike at the worst possible moment.