By Boluwatife Oshadiya | May 8, 2026
KEY POINTS
- Hacking group ShinyHunters claims responsibility for breaching Instructure, owner of the widely used Canvas learning management system, affecting nearly 9,000 educational institutions and data of about 275 million students, teachers, and staff.
- Major disruptions hit universities including Penn State, University of British Columbia, University of Toronto, UCLA, University of Chicago, Harvard, and others during critical end-of-year exams and assignments.
- Instructure reports Canvas available for most users by late Thursday, but ransom demands and potential data leak threats continue with a May 12 deadline.
MAIN STORY
A major cyber attack on Thursday disrupted the Canvas learning management system operated by Instructure, causing widespread chaos across universities and schools in the United States and Canada during the high-stakes end-of-semester period.
The hacking group ShinyHunters claimed responsibility, alleging it breached Instructure and stole substantial data, including names, email addresses, student ID numbers, and billions of private messages. The group published a list of affected institutions and displayed ransom notes on some Canvas login pages, urging schools to negotiate settlements privately to avoid data leaks, with deadlines including May 12.
Institutions across North America reported immediate impacts. Penn State University informed students that no one had access to Canvas and indicated a resolution was unlikely within 24 hours, leading to the cancellation of some exams. The University of British Columbia advised users to log out immediately due to a “cyber breach” of Instructure. The University of Toronto confirmed it was among multiple affected universities.
Students at UCLA faced difficulties submitting assignments, while the University of Chicago temporarily disabled its Canvas page. Harvard, Duke, MIT, and many others also reported outages or defaced login pages. Instructure later posted updates stating Canvas was “available for most users,” with some instances placed in maintenance mode as investigations continued alongside forensic experts and law enforcement.
ShinyHunters, known for previous high-profile attacks, escalated by defacing login pages and threatening to release 3.65 terabytes of data if demands were unmet. Instructure has confirmed unauthorized access but stated no evidence of compromised passwords, financial records, or certain sensitive identifiers, though names, emails, IDs, and messages may be affected.
The incident coincides with broader concerns over cybersecurity in education technology. On the same day, U.S. Senate Democratic Leader Chuck Schumer urged the Trump administration and Department of Homeland Security to bolster defenses against cyber risks, particularly in the context of rapidly advancing AI technologies that could exacerbate such threats.
THE ISSUES
The attack highlights systemic vulnerabilities in critical education technology infrastructure relied upon by millions. Canvas serves a large share of higher education institutions in North America, making it a high-value target. Repeated incidents at Instructure, including a prior breach, underscore challenges in securing cloud-based platforms handling sensitive student data amid rising ransomware and extortion tactics by groups like ShinyHunters.
This disruption during finals season amplifies risks to academic continuity, student performance, and institutional operations, while raising questions about third-party vendor accountability and preparedness in the education sector.
WHAT’S BEING SAID
“Canvas is currently unavailable due to a cyber breach of its parent company Instructure,” the University of British Columbia informed students.
Instructure has engaged external forensics experts and notified law enforcement, emphasizing ongoing remediation and monitoring.
Cybersecurity analysts note that extortion discussions may be ongoing, with the group pressing for payments to prevent data releases.
WHAT’S NEXT
Instructure continues investigating and restoring full services, with updates available on its status page. Affected institutions are monitoring for further developments and advising vigilance against phishing. The May 12 ransom-related deadline set by ShinyHunters remains a key watchpoint. Broader policy responses to education sector cyber risks, including potential DHS involvement, could emerge in coming days.
THE BOTTOM LINE:
This attack on a core education platform exposes the fragility of digital learning infrastructure and the real-world costs of cyber extortion at scale. For ed-tech providers and institutions, it signals an urgent need for stronger resilience measures as reliance on such systems grows.
