Canvas Platform Outage Hits Students During Finals After Cybersecurity Breach

Canvas, a platform used by colleges, universities and K-12 schools, went down for several hours during finals week after Instructure detected unauthorized activity from a cybersecurity incident.

The outage struck at a critical time. Students and teachers rely on Canvas for assignments, messages, grades, class updates and exam instructions. Instructure spotted the initial breach on April 29, 2026, revoked the intruder's access and launched an investigation with outside forensic experts.

On May 7, the company identified more unauthorized activity from the same actor, who altered pages visible to some logged-in users. Instructure shifted Canvas to maintenance mode to contain the issue and add safeguards. The company later confirmed the attacker exploited a vulnerability in Free-For-Teacher accounts, prompting a temporary shutdown of those accounts.

In a statement, Instructure said, "Instructure discovered the unauthorized actor involved in our ongoing security incident made changes to the pages that appeared when some students and teachers were logged in. Out of an abundance of caution, we immediately took Canvas offline to contain access and further investigate. We have confirmed that the unauthorized actor exploited an issue related to our Free-For-Teacher accounts. As a result, we have made the difficult decision to temporarily shut down our Free-For-Teacher accounts. This gives us the confidence to restore access to Canvas, which is now fully back online and available for use. We regret the inconvenience and concern this may have caused."

The disruption affected schools nationwide, including Harvard, the University of Pennsylvania, Duke, UCLA and the University of Nebraska. Users there saw messages from the hacking group ShinyHunters, which claimed responsibility and threatened to release school data by May 12, 2026, unless schools responded.

ShinyHunters said it held data on nearly 9,000 schools and 275 million people. Instructure has not verified that scope. The company's probe found the April 29 breach exposed names, email addresses, student ID numbers and user messages at affected organizations. No evidence emerged of stolen passwords, dates of birth, government IDs or financial data. The May 7 activity yielded no confirmed data theft, though the investigation continues.

Canvas returned fully online after Instructure revoked credentials, rotated keys, restricted tokens and boosted monitoring. Its forensic partner found no ongoing access by the threat actor.

Instructure notified affected organizations on May 5, 2026. Students and staff should contact their schools first and watch for phishing using leaked details like school emails or IDs.