Canvas Hack Hits 8,800 Schools, Delays Finals Across US

Canvas went dark for millions of students around 5 p.m. ET on Thursday, May 7, after hackers breached Instructure's systems. The outage lasted roughly four hours, with service restored by 9:30 p.m., according to Columbia University's student newspaper. The timing couldn't have been worse: finals week at most US colleges.

The attack hit 8,800+ institutions globally, from kindergartens through PhD programs. Universities including Columbia, Stanford, Princeton, Harvard, and Georgetown all reported outages. Students lost access to exams, assignments, lecture videos, and grades at the exact moment they needed them most.

Instructure confirmed the incident in status updates throughout the evening, calling it a "cybersecurity incident" without initially naming the perpetrators.

The ShinyHunters hacking group claimed responsibility, according to cybersecurity analyst Luke Connolly from Emisoft. Fortune reports that ShinyHunters operates as a "loose affiliation of teenagers and young adults" based primarily in the US and UK.

This isn't their first rodeo. The group has previously targeted major companies including Microsoft, Tokopedia, and Wish. Their MO typically involves data theft followed by ransom demands, often posting stolen information on dark web forums if organizations refuse to pay.

The ransom note left at affected schools suggests this was financially motivated rather than some elaborate student prank, despite the timing.

The breach potentially compromised personal information for millions of students. According to ABC7NY, exposed data includes names, email addresses, phone numbers, student ID numbers, and internal messages between students and faculty.

While Instructure hasn't confirmed the full scope of the data breach, the inclusion of internal messages is particularly concerning. These could contain assignment feedback, grade discussions, and sensitive academic information that students wouldn't want public.

Schools are advising students to monitor their accounts for suspicious activity and change passwords across all platforms. Some institutions are offering credit monitoring services to affected students, though the logistics of rolling this out to millions remain unclear.

The outage created immediate chaos during finals period. Columbia University postponed some final exams entirely, while other schools extended deadlines or switched to paper-based testing. Students who'd spent weeks preparing lost access to study materials, lecture recordings, and practice exams.

Professors couldn't upload final grades or communicate with students about exam logistics. The disruption is expected to ripple through graduation timelines and summer course registration at affected institutions.

Some schools are still playing catch-up. California campuses, where Canvas usage is particularly heavy, reported ongoing disruptions extending into the weekend. The University of Manchester in the UK and Universidad del Desarrollo in Chile confirmed similar issues, showing this wasn't just a US problem.

This attack highlights how centralized educational technology creates massive single points of failure. When one platform serves 30+ million users across 8,800 institutions, any breach becomes a national education emergency.

The incident will likely accelerate conversations about platform diversification and backup systems. Schools that relied entirely on Canvas for exam administration found themselves scrambling for alternatives mid-finals. Expect to see increased investment in redundant systems and offline backup protocols.

For EdTech companies, this serves as a wake-up call. The sector has grown rapidly during the pandemic, but security infrastructure hasn't kept pace. Smaller competitors to Canvas might see this as an opportunity to pitch more distributed or secure alternatives.

Instructure has restored service but investigations continue. The company hasn't disclosed whether it paid any ransom or how many student records were actually compromised. Affected institutions are conducting their own security reviews while working with law enforcement.

Students should expect delays in final grade postings and potential schedule disruptions for summer sessions. Some schools are offering "incomplete" grades that can be changed once systems stabilize, while others are implementing emergency grading policies.

The incident will likely trigger broader policy discussions about student data protection in educational technology. Expect congressional hearings and potential new regulations governing how EdTech companies handle sensitive student information.