Canvas cyberattack during finals week raises concerns over school cybersecurity

A cyberattack targeting the widely used learning platform Canvas disrupted schools and universities during one of the busiest periods of the academic year, leaving students and lecturers unable to access coursework, exams and study materials during finals week.

The attack has been linked to ShinyHunters, a group previously associated with high-profile data breaches and extortion campaigns. Reports indicated that login portals connected to Canvas at hundreds of institutions were altered with ransom-style messages warning that stolen information would be leaked unless the attackers were contacted.

According to reports, the hackers claimed to have accessed data connected to millions of students, teachers and university staff across thousands of educational institutions. The disruption immediately created problems for schools that relied heavily on digital systems for examinations, assignment submissions, and communication.

Hackers exploited an issue linked to teacher accounts

Instructure, the company behind Canvas, said the attackers exploited a vulnerability connected to its Free-for-Teacher accounts. The company temporarily shut down parts of the platform while investigators examined the incident and worked to restore services.

The outage quickly affected schools and universities across several regions, leaving students and instructors locked out of essential online resources. Many were unable to download lecture notes, submit coursework or access exam schedules during the critical assessment period.

During the early stages of the disruption, some users reportedly encountered a message on the Canvas login page from ShinyHunters claiming the group had breached Instructure “again”. The message warned schools to contact the attackers before a 12 May 2026 deadline to prevent the publication of stolen data.

The ransom-style notice also allegedly included the names of affected schools, reinforcing concerns that the operation was designed to pressure institutions into negotiations. While Instructure restored access to parts of the platform, questions remained about the scale of the breach and the potential impact on users whose information may have been exposed.

Instructure stated that neither passwords nor financial information were compromised during the attack. However, the company acknowledged that hackers accessed data including names, email addresses, student identification numbers and internal messages exchanged through the platform.

Cybersecurity experts have warned that such information could still present serious risks. Attackers could use the stolen details to launch convincing phishing campaigns referencing real classes, lecturers, or university departments, increasing the likelihood that students or staff will be deceived into revealing further sensitive information.

Students and lecturers faced major disruption

The timing of the attack significantly increased its impact on schools and universities. With many institutions conducting final examinations and processing end-of-term coursework, the outage disrupted academic schedules and forced administrators to make emergency adjustments.

Some institutions reportedly postponed examinations, while others encouraged lecturers to offer greater flexibility regarding assignment deadlines and attendance requirements. Students already under pressure from finals faced additional uncertainty after losing access to revision materials, assessment instructions, and communication channels.

The disruption highlighted how dependent many educational institutions have become on a small number of digital platforms. For many students, Canvas serves as the primary location for lecture recordings, assignment submissions, grades and direct communication with instructors.

As a result, even a temporary outage can affect large parts of a school’s operations. The incident also raised broader concerns about the resilience of education technology systems and institutions’ ability to continue operating during cyber incidents.

The attack has also renewed discussion about the growing cybersecurity threats facing the education sector. Schools and universities are increasingly attractive targets for cybercriminals because they store large volumes of personal data while often operating with limited cybersecurity budgets and ageing IT infrastructure.

Experts have noted that educational institutions frequently struggle to balance accessibility and security, particularly when platforms are designed to support large numbers of students and staff accessing systems remotely from different locations and devices.

Previous breaches linked to ShinyHunters add to concerns

ShinyHunters has previously been associated with several major cyber incidents involving well-known companies and online services. The group has gained notoriety for stealing large volumes of data and using extortion tactics to pressure organisations into making payments.

The hackers have also previously targeted Instructure. In September 2025, ShinyHunters reportedly accessed the company’s Salesforce environment through a social engineering attack aimed at business systems. At the time, Instructure said no Canvas product data had been exposed and that the compromised information mainly involved public business contact details.

The latest incident has intensified concerns that educational technology providers may face sustained targeting from organised cybercrime groups seeking access to valuable user data. Even after systems are restored, organisations can remain vulnerable to extortion demands, reputational damage and follow-up phishing campaigns.

Although Canvas services have largely returned online, the broader risks associated with the breach may persist for some time. Reports suggested that ShinyHunters had removed Instructure from its “Pay or Leak” portal, potentially indicating that discussions between the parties were taking place. However, no official confirmation regarding negotiations has been provided.

The attack is expected to increase pressure on schools, universities, and technology providers to strengthen cybersecurity protections and develop more robust contingency plans for future outages. Institutions are also likely to review how they store sensitive student information and how quickly alternative systems can be activated during emergencies.

For many educators and students, the incident served as a reminder that digital learning platforms are no longer optional tools but essential infrastructure supporting modern education systems. As reliance on online services continues to grow, cybersecurity failures can have immediate consequences for millions of users.