A cyberattack on Instructure, the company behind the Canvas learning management platform, has disrupted schools and universities during finals season and raised concerns about exposed student, teacher and staff data.
Instructure confirmed that it recently experienced a cybersecurity incident carried out by a criminal threat actor. The company said its investigation found that some identifying information was involved, including names, email addresses, student ID numbers, and messages exchanged by users.
Instructure said it had found no evidence that passwords, dates of birth, government identifiers, or financial information were involved.
The incident gained wider attention after ShinyHunters, a criminal extortion group, claimed responsibility for the breach. The group claimed that data connected to nearly 9,000 schools had been stolen and that as many as 275 million people could be affected, including students, teachers, and other staff.
Those figures have not been independently confirmed, and several reports stressed that the full scope remains unclear.
The disruption escalated on Thursday, May 7, when Canvas was placed into maintenance mode. Instructure said Canvas, Canvas Beta, and Canvas Test were taken offline, then later reported that Canvas was available again for most users while Canvas Beta and Canvas Test remained under maintenance.
The outage came at a sensitive point in the academic calendar, with students preparing for final exams and schools relying on Canvas for assignments, grades, course materials, and class communication.
Reports from several news outlets described widespread confusion at schools and universities. The Associated Press reported that institutions including Virginia Tech, the University of New Mexico, and the University of Florida notified students about the situation, while the University of Texas at San Antonio pushed back some Friday finals because of the outage.
The attack also appeared to move beyond data theft. BleepingComputer reported that Canvas login portals for about 330 educational institutions were defaced with an extortion message for roughly 30 minutes before being taken offline.
The message allegedly warned schools that stolen data would be leaked unless they contacted the hackers by May 12, 2026, to negotiate a payment.
View this post on Instagram
TechCrunch also reported seeing defaced Canvas login pages at three schools. The outlet said the attackers appeared to have injected an HTML file that changed the login screens and displayed the extortion message.
TechCrunch reported that a member of ShinyHunters described the portal defacement as a second, separate breach, although the exact method used to compromise the login pages remains unclear.
Instructure said it had taken several response steps after discovering the incident, including revoking privileged credentials and access tokens, deploying security patches, rotating certain keys as a precaution and increasing monitoring. The company also said it was working with outside forensic experts.
The case highlights a larger risk for education: one widely used vendor can connect thousands of institutions to a single point of failure. Canvas is one of the most widely used learning management systems in North America, and Inside Higher Ed reported that it is used by 41 percent of higher education institutions in the region.
Canvas, used by countless educational institutions, experienced a data breach. The key takeaway here is the ripple effect a single platform vulnerability can have across thousands of organizations. Universities worldwide need to assess potential exposure, not just their own…
— Ran Geva (@rangeva) May 7, 2026
Cybersecurity experts warned that even data that may appear limited can still create serious risks. Names, school email addresses, student IDs and private messages can help attackers craft convincing phishing messages that reference actual schools, classes, teachers or assignments.
That kind of information can be used to target students, parents and staff after the immediate outage ends.
For schools, the immediate challenge is restoring access and confirming which users were affected. For families and students, the main concern is what data was exposed and whether that information could be reused in scams. Instructure has said it is communicating directly with impacted customers and will provide organization-specific information and support.
The full scale of the breach remains under investigation. For now, confirmed facts show that Instructure acknowledged an incident, confirmed exposure of some user information and took Canvas offline during a second wave of disruption. The claims about hundreds of millions of affected people come from the hackers and remain unverified.
