The learning-management system Canvas briefly went offline after a cybersecurity breach, disrupting coursework and final exams for students and faculty at thousands of U.S. colleges and K–12 districts.
Millions of users rely on Canvas to share materials, submit assignments, track grades and communicate—Instructure, Canvas’s parent company, says about 30 million people use the platform and that it serves roughly half of higher-education institutions in North America. The outage struck during a critical period for many schools: finals week.
Users who tried to log in on Thursday encountered a warning screen claiming responsibility from a group known as ShinyHunters, the same actor previously linked to a major Ticketmaster breach. The message said the group had already breached Instructure and accused the company of ignoring them. On a threat-intelligence posting earlier in the week, the group said an initial breach had exposed data from some 275 million students, teachers and staff at nearly 9,000 schools worldwide, and warned that data would be leaked unless affected institutions negotiated through specified channels by a stated deadline.
Instructure confirmed it detected unauthorized activity in Canvas at the end of April and began an investigation. It temporarily took Canvas offline after the same actor “made changes that appeared when some students and teachers were logged in.” The company said the apparent exploit involved its Free-for-Teacher accounts, which it has suspended while it investigates. Instructure later announced that Canvas had been restored for most users and expressed regret for the disruption. The company also stated that the data exposed so far appear to be identifying information—names, email addresses, student ID numbers and user messages—and that passwords, birth dates, government identifiers and financial information did not appear to be involved.
It remains unclear whether Instructure negotiated with the attackers or whether the threat actors halted their activity for other reasons. Cybersecurity specialists say either outcome is possible: the platform could be back because a ransom or settlement was paid, or because the attackers were stopped before they could do more. Regardless, experts warn of likely follow-on effects, especially phishing attempts that try to harvest credentials or trick users with fake instructor messages or account-reset prompts.
Not everyone regained access immediately. Some universities and school districts kept Canvas offline or warned users not to attempt to log in while they verified system integrity. Penn State reported partial restoration but said the system was not yet ready for regular use. Several University of California campuses said they would not restore access until they were confident the system was secure. Montgomery County Public Schools in Maryland and others said they would continue testing before allowing families and students back in.
The outage forced some institutions to postpone or cancel finals and assignments. The University of Illinois postponed exams and assignments scheduled through Sunday. Penn State canceled certain exams and was working with faculty on alternate grading plans. Baylor delayed planned exams and asked instructors to redistribute any materials they had saved locally. With Canvas down or cautioned against, schools and professors scrambled to find alternative ways to share readings and coordinate assessments—email, cloud drives or other platforms.
The incident highlighted the risks of centralizing so much course management on a single platform. Instructors reported panicked messages from students who suddenly could not access lecture slides, readings or practice exams while preparing for upcoming finals. Some professors said they will now keep local copies of course materials and maintain separate grade records in case a similar outage happens again.
Security professionals say the incident also exposed gaps in institutional preparedness for cyber incidents. Beyond restoring service, schools must assume attackers may still have access to some systems and plan accordingly. Recommended steps for students, faculty and staff include being on high alert for unsolicited emails or messages, avoiding clicking links in unexpected communications, using a password manager to create unique passwords, enabling multi-factor authentication on all accounts, and verifying unusual requests through a separate channel (for example, contacting a professor by phone or an official school email address listed on the university website).
Experts also urge institutions to create concrete disaster-recovery plans: how to continue teaching and communicating if a major platform becomes unavailable, how to protect and rotate sensitive data, and how to treat those affected with transparency and fairness while decisions about grading and deadlines are made.
The Canvas incident is a reminder that no system is invulnerable and that resilience—both technical and operational—matters. For now, many schools are focused on confirming security, rescheduling assessments, and advising their communities on how to reduce further risk. Students and instructors are being asked to watch for suspicious messages, change reused passwords elsewhere, and prepare for alternative ways to receive course materials and submit work if the platform becomes unreliable again.