Canvas Platform Disrupted for Hours by Cybersecurity Breach During College Finals Week

Instructure restored Canvas to full operation after a cybersecurity incident that took the education platform offline for several hours during finals week. The company detected unauthorized activity tied to the incident on April 29, 2026, immediately revoked the unauthorized party's access, started an investigation and brought in outside forensic experts.

On May 7, 2026, Instructure identified additional unauthorized activity linked to the same incident.

The unauthorized actor made changes to pages that appeared when some students and teachers logged in through Canvas. Out of an abundance of caution, Instructure temporarily took Canvas offline into maintenance mode after the May 7 activity to contain access and further investigate.

The company confirmed that the unauthorized actor had exploited an issue related to Instructure's Free-For-Teacher accounts, the same vulnerability that enabled the earlier access.

Instructure made the difficult decision to temporarily shut down its Free-For-Teacher accounts. This step gave the company confidence to restore access. Canvas is now fully back online and available for use, though Free-For-Teacher accounts remain temporarily shut down.

Instructure notified impacted organizations on May 5, 2026. Its outside forensic partner reviewed known indicators and found no evidence that the threat actor currently has access to the platform. The company has revoked privileged credentials and access tokens tied to affected systems.

Instructure deployed additional platform protections, rotated certain internal keys, restricted token creation pathways and added monitoring across its platforms. Its investigation is ongoing. Instructure has not found evidence that data was taken during the May 7, 2026 activity.

Based on Instructure's investigation, data taken in the April 29, 2026 incident includes names, email addresses, student ID numbers and messages among Canvas users. Instructure has found no evidence that passwords, dates of birth, government identifiers or financial information were involved in the breach. Instructure has not publicly verified the full scale of data claimed by the hackers.

The hacking group ShinyHunters claimed responsibility for the Canvas attack. ShinyHunters threatened to leak school data unless it heard from affected schools by May 12, 2026. ShinyHunters claimed it had data tied to nearly 9,000 schools and about 275 million people.

Student newspapers at Harvard, the University of Pennsylvania, Duke, UCLA and the University of Nebraska were blocked from using Canvas and saw a message from ShinyHunters. Canvas is used by colleges, universities and K-12 schools. It is where many schools post assignments, messages, grades, class updates and exam instructions.

Students across the country are preparing for finals or already taking them during the week of the outage. Fox News reported that the timing made the outage especially frustrating for students and teachers who rely on the platform for time-sensitive academic work.

This gives us the confidence to restore access to Canvas, which is now fully back online and available for use. " The company's statement underscored both the scope of the response and the limits of what it has confirmed so far about the breach.