Canvas system is online after a cyberattack disrupted thousands of
schools
[May 09, 2026]
By HEATHER HOLLINGSWORTH and COREY WILLIAMS
Tens of thousands of students studying for final exams around the world
Friday regained access to a key online learning system after a
cyberattack had earlier knocked it offline, throwing schools and
universities into turmoil.
Elizabeth Polo was in a creative writing class at the University of
Maryland late Thursday afternoon when a classmate shouted, “Canvas got
hacked.” A message from a hacking collective flashed on her computer
screen.
“Our whole class just like was like freaking out about it,” said Polo, a
junior. “Our poor professor was trying to get everyone to calm down but
it was just kind of chaos.”
Across academia, the outage set off panic and confusion as students and
faculty members found themselves locked out of a platform they rely on
to manage grades and access course notes and assignments. Colleges
scrambled to reschedule final exams as students lost any way to access
materials they needed to study.
Instructure, the company behind Canvas, said in an update late Thursday
that the system was available for most users.
“Instructure discovered the unauthorized actor involved in our ongoing
security incident made changes to the pages that appeared when some
students and teachers were logged in,” Instructure said Friday in a
statement. “Out of an abundance of caution, we immediately took Canvas
offline to contain access and further investigate.”
Instructure also said it confirmed that the unauthorized actor exploited
an issue related to its Free-For-Teacher accounts. The company has
temporarily shut down those accounts.
Instructure did not say whether it paid a ransom nor has it said what
happened with the compromised data.
Rich in digitized data, the nation’s schools are prime targets for
far-flung criminal hackers, who are assiduously locating and scooping up
sensitive files that not long ago were committed to paper in locked
cabinets. Past attacks have hit Minneapolis Public Schools and the Los
Angeles Unified School District.
Hackers breached data days before the outage
A hacking group called ShinyHunters claimed responsibility for the
breach at Canvas, said Luke Connolly, a threat analyst at the
cybersecurity firm Emsisoft. The hacking group posted online that nearly
9,000 schools worldwide were affected, with billions of private messages
and other records accessed, Connolly said.
The message that flashed on Polo's computer screen urged individual
schools to reach out directly to the hacking group to negotiate a
settlement and threatened to leak data if they didn’t. She said that
Canvas later took that message down, replacing it with a message saying
the site was undergoing scheduled maintenance.
Just before 1 a.m. Friday, Polo was able to submit an assignment on
Canvas, but she now worries personal data has been compromised.
Canvas went down just as deadlines were hitting
The outage happened just as a deadline arrived for semester-long
projects in one of Gwyneth Doland’s journalism classes at the University
of New Mexico.
“They were a little hyperventilating,” recalled Doland, who extended the
deadlines. “None of these platforms are fail-proof. I’m glad that they
got that lesson.”
[to top of second column]
|
An image of a notice sent by Georgia Tech's information technology
department warning students, professors and staff about the
cybersecurity breach of the Canvas system it uses for assignments
and grading is displayed on a phone, Friday, May 8, 2026, in
Decatur, Georgia. (AP Photo/Michael Warren)
That the attack came with finals looming came as no surprise to
Huseyin Can Yuceel, the security research lead at Picus Labs.
“Timing is everything, because they want to inflict pain as much as
possible,” he said, “so they can extort money out of it.”
Teachers said they had to find workarounds to help students study
for exams and submit final assignments. Some schools, such as the
University of Texas at San Antonio, announced they were pushing back
finals scheduled for Friday in response to the outage.
Rod Uzat, a professor of Educational Leadership at the University of
Texas Permian Basin, pushed back the posting of grades by a day.
“The concern is for those of us who were doing the grading if
there’s anything left,” Uzat said.
Rhongho Jang, a computer science professor at Wayne State University
in Detroit, was finalizing grades for a class of 94 students when
the system went down. He keeps paper copies of the student exams,
but all of the semester assignments, which make up half of the final
grade, are done online.
If those assignments and grades could not be recovered, Jang would
have given his students full credit.
“I didn’t want to penalize them,” he said. “We cannot judge based on
the data we don’t have. The final responsibility is still on the
server.”
A reliance on tech makes schools vulnerable
The breach underscored how much schools depend on outside companies'
digital platforms to keep their operations running.
“What it boils down to is concentration risk,” said Joseph
Blankenship, a vice president and research director at Forrester. He
said any space, including education, is particularly vulnerable when
there’s only one or maybe two key providers hosting essential
technology.
Allan Liska, of the cybersecurity firm Recorded Future, said the
outage did appear deliberate, not a glitch, and that Instructure was
trying to figure out how widespread the problem was and make sure
the hackers were no longer inside its system.
“There’s no indication at this point that any ransom has been paid,”
Liska said. “And it likely is still a little too early for a ransom
to have been paid. You know, normally these negotiations kind of
drag on for a while.”
Connolly described ShinyHunters as a loose affiliation of teenagers
and young adults based in the U.S. and the United Kingdom. The group
also has been tied to other attacks, including Live Nation’s
Ticketmaster subsidiary. ShinyHunters posted online that it was not
commenting on the Canvas incident.
ShinyHunters, or an offshoot, also was behind a previous smaller
breach of Instructure, Liska said. Sometimes small breaches reveal
weaknesses that threat actors later exploit in future leaks, said
Yuceel, who likened it to a leak in a boat.
“You fixed it, but you already have the water in the boat,” he said.
All contents © copyright 2026 Associated Press. All rights reserved |
