A sweeping cyberattack on Instructure, the company behind the widely used Canvas learning management system, disrupted access for thousands of schools and universities across the United States on Thursday, hitting during one of the most critical periods of the academic year.

The breach, attributed to the cyber extortion group ShinyHunters, temporarily blocked entry to Canvas for students and instructors across major institutions, interrupting final exams, assessments and grade submissions. Some users attempting to log in were shown a message claiming that Instructure’s servers had “again” been compromised, along with threats to release stolen data if schools did not make contact by 12 May.

Platform at the centre of US academic life

Canvas is a cloud-based learning management system used by schools, colleges and universities to organise coursework, manage grades, host learning materials, and facilitate communication between students and staff. Its widespread adoption, covering thousands of institutions, means any outage can ripple across the country, particularly during finals week.

On Thursday, students attempting to sign in at several universities encountered a message attributed to ShinyHunters stating that servers belonging to Instructure had “again” been breached. The notice accused the company of ignoring the group’s earlier contact, "Instead of contacting us to resolve it they ignored us and did some 'security patches,'" it read.

The hackers told schools to work through a cyber advisory firm and reach out privately "to negotiate a settlement," warning that stolen information would be released if they did not respond by the deadline.

How the attack unfolded

According to student newspapers and social media reports, the defaced login pages were the result of malicious HTML being injected into institutional Canvas portals. TechCrunch reported that the attackers replaced standard login screens with ransom warnings, and that both Instructure’s website and Canvas itself were intermittently inaccessible, sometimes showing “too many requests” errors or “scheduled maintenance” messages.

ShinyHunters also published a link to a list of schools they claimed to have affected. The group said it had penetrated nearly 9,000 educational institutions worldwide and obtained data connected to hundreds of millions of users.

Instructure confirmed that data compromised in an earlier incident included student and staff names, email addresses, ID numbers and private messages exchanged on the platform. The company said that breach had been contained, but acknowledged that a separate outage was now impacting customers nationwide.

Universities scramble as outages hit finals week

Institutions across the United States reported significant disruptions:

  • Indiana University said instructors were unable to upload grades or access assignments, calling it a “global outage.” A message from the Luddy School warned students that accounts and credentials “may be compromised”.
  • Princeton University saw its Canvas system fail less than a day before final assessments were due to begin. Staff were urged to download gradebooks as a precaution.
  • Harvard University, Duke University, Brown University, University of California Irvine, University of Wisconsin–Madison, Penn State, Georgetown University, San Diego State University and the University of Pennsylvania all reported service interruptions or publicly acknowledged the breach.

Several universities cautioned students to watch for phishing attempts exploiting leaked personal details, as attackers may use stolen names, emails or ID numbers to craft convincing scams.

Stanford University reported that Canvas was “currently unavailable due to an issue being experienced by the vendor.” It added that Instructure had recently disclosed a nationwide security issue it believed had been contained, but that a new outage was affecting “numerous other educational institutions nationwide.”

Who are ShinyHunters?

ShinyHunters is a long-running cyber extortion group active since at least 2019. Known for their “pay or leak” model, the hackers typically demand ransoms from affected organisations and threaten to publish stolen data if negotiations fail. The group has repeatedly targeted educational platforms and technology companies, often publicising breaches on dark-web leak sites to increase pressure.

In this latest incident, ShinyHunters urged institutions to communicate with them via the encrypted messaging service TOX, reiterating that data would be released if talks had not begun by 12 May 2026.

(With AFP inputs)