Canvas Hack Disrupts Finals at Thousands of Schools Worldwide

Massive Cyberattack Strikes During Finals Season

A devastating cyberattack on Canvas, the widely-used educational platform, has disrupted finals week for millions of students across the globe. The hack is considered the largest educational security breach on record as of 8 May 2026 due to its unprecedented global scale, affecting 8,809 universities, educational ministries, and other institutions worldwide. A cyberattack shut down an education platform used by universities and K-12 schools across the US Thursday, depriving students and teachers of essential classroom materials — at a time when many are taking or preparing for final exams.

Canvas, a popular, cloud-based digital hub for classrooms, has more than 30 million active users globally, with more than 8,000 institutions as customers, parent company Instructure says on its website. The platform is the most widely adopted learning management system in North American higher education where 41% of institutions use the software. Students found themselves locked out while studying for exams, forcing professors to scramble to distribute materials through alternative channels.

Large public school systems and top universities like Columbia, Princeton, Harvard and Georgetown reported a ransom note signed by a hacking group had appeared on the homepage of their schools' Canvas sites Thursday. The timing couldn't have been worse—during one of the most stressful periods of the academic year when students desperately need access to course materials and exam schedules.

ShinyHunters Claims Responsibility

The criminal extortion group ShinyHunters claimed responsibility for the attack. On a dark web leak site, the group alleged it had stolen more than 3.65 terabytes of data and threatened to release it unless its demands were met. The group said it stole roughly 275 million records tied to students, teachers and staff, and shared a list of 8,809 school districts, universities and online education platforms it claims were affected.

Luke Connolly, a threat intelligence analyst at the cybersecurity firm Emsisoft, described ShinyHunters to the Associated Press as a loose group of teenagers and young adults based in the U.S. and the United Kingdom. The group is believed to have been formed in 2020 and has been involved in previous high-profile hacking incidents. In 2024, Ticketmaster owner Live Nation confirmed "unauthorized activity" on its database after ShinyHunters claimed to have stolen the personal details of 560 million customers, including phone numbers and partial credit card details.

What makes this attack particularly concerning is that this is Instructure's second confirmed breach in approximately eight months. In September 2025, the same ShinyHunters group exploited a social engineering attack against the company's Salesforce environment. The repeated targeting suggests the hackers have developed sophisticated methods for penetrating the company's defenses.

Global Impact and Response

The attack's reach extends far beyond U.S. borders. Educational institutions in the United States, Canada, United Kingdom, New Zealand, Australia, Sweden, the Netherlands, and Singapore reported disruptions or potential exposure of user information. Several universities, including the University of Melbourne, University of Technology Sydney, Royal Melbourne Institute of Technology, Griffith University, Adelaide University, and University of Canberra are offering extensions on assignments to affected students.

The FBI has advised anyone who may have been affected by Thursday's cyberattack to not engage with anyone who claims to have their data, including by responding to demands or sending payments. Officials across the country are advising students, parents and staff to be cautious of unsolicited emails or messages that appear to come from Canvas, particularly those requesting personal information or password resets.

The company said it had found no evidence that passwords, dates of birth, government identifiers, or financial information were involved in the hacking. However, names, email addresses, ID numbers, and messages had been stolen for ransom. While Canvas has resumed operations, the incident highlights the vulnerability of educational technology infrastructure that millions depend on daily.

Looking Ahead

This breach represents a troubling trend in cybercriminal tactics. This breach follows a clear pattern we've been watching for the last 18 months," said Doug Thompson, chief education architect and director of solutions engineering for Tanium, a cybersecurity management company. Rather than targeting individual schools with limited resources, hackers are focusing on the vendors that serve thousands of institutions simultaneously.

The education sector faces unique challenges in defending against such sophisticated attacks. A majority of K-12 technology leaders (65%) say the top barriers to addressing cybersecurity challenges are insufficient staffing and lack of a dedicated budget, according to the U.S. State of EdTech 2026 report from the Consortium for School Networking. As educational institutions become increasingly digitized, they present attractive targets for criminals seeking valuable personal data.

While Canvas is back online, this incident serves as a wake-up call for the entire education technology ecosystem. Schools and vendors must prioritize cybersecurity investments to protect the sensitive data of hundreds of millions of students and educators who rely on these platforms for their daily academic activities.