Instructure cyberattack results in widespread Canvas outage

By Alvin Wu
Science and Technology
Instructure cyberattack results in widespread Canvas outage

ShinyHunters defacement message on school Canvas instances on Thursday, May 7, 2026. This screenshot is from the Rutgers Canvas instance. ZFJ/Witness

COLLEGE PARK, Md., May 8 (ZFJ) — A cyberattack on Instructure resulted in its Canvas learning management system going down on Thursday, May 7.

Instructure, a platform used by thousands of universities and K12 schools in the U.S. and globally, was compromised by extortion gang ShinyHunters, which claimed on its Tor data leak site that it had exfiltrated over 3.65 terabytes of personally identifiable information (PII) and private messages sent via Canvas Inbox for nearly 9,000 schools. The criminals also claimed that they breached Instructure’s Salesforce instance (a database) and demanded payment to prevent them from leaking all of the data.

Steve Proud, Instructure’s chief information security officer (CISO), first notified customers that the company was responding to a security incident on Friday, May 1.

In an update on Saturday, May 2, he confirmed that the compromised data included names, email addresses, student ID numbers, and private messages. He added that the company had not seen evidence that sensitive information like passwords, dates of birth, government identifiers, or financial information had been leaked.

On Wednesday, May 6, Instructure reported that Canvas was fully operational and all unauthorized activity had been eliminated.

ShinyHunters had given Instructure a deadline of May 6 to negotiate payment to prevent data leakage. In a leak site post on Tuesday, May 5, the cybercriminals lamented that “Instructure has not even bothered speaking to us to understand the situation or to even negociate with us to prevent the release of this data.” They then posted a list of educational institutions they claimed were affected and encouraged individual schools to contact them by the end of Thursday, May 7, to make payments.

The criminals were apparently not satisfied that their threats had not been gaining momentum. On May 7, they defaced every school’s Canvas instance with a message threatening a data leak unless the schools or Instructure negotiated a payment by next Tuesday, May 12.

Following the defacement, Instructure placed Canvas in maintenance mode for the rest of the day, meaning students were unable to submit coursework or access resources through the platform. The severity of this outage was exacerbated by the fact that many universities are finishing their semesters and beginning final exams at this time.

UMD Canvas instance displaying a maintenance message on Thursday, May 7, 2026. ZFJ/Alvin Wu UMD Canvas instance displaying a maintenance message on Thursday, May 7, 2026. ZFJ/Alvin Wu

At 21:17 MDT (11:17 p.m. EDT) on May 7, the company reported that Canvas was once again available for most users.

ZFJ editor-in-chief Alvin Wu checked ShinyHunters’ Tor data leak site at 1:47 a.m. on May 8 and did not see Instructure listed as a victim anymore.

ShinyHunters Tor data leak site as of 1:47 a.m. on Friday, May 8, 2026. ZFJ/Alvin Wu ShinyHunters Tor data leak site as of 1:47 a.m. on Friday, May 8, 2026. ZFJ/Alvin Wu

Extortion cybercriminal groups generally do not remove victims from their websites unless the victim has negotiated a payment. The victims who remain listed on their site with download links refused to fork over any payments and have thus been publicly punished with data leaks. Cybercriminals use these public leaks as leverage to coerce future victims to pay ransoms.

Educational institutions are extremely attractive targets for extortion and ransomware cybercriminal gangs due to the amount of sensitive data they hold and the fact that many schools lack the resources to properly defend against cyberattacks.

Since identifying information like names and email addresses have been compromised, students at schools that use Canvas should be vigilant for targeted phishing attacks.

IMPACTED UNIVERSITIES

All universities using Canvas were impacted by the outage, and many sent out guidance on how to submit coursework or postponed final exams to be held on the next day.

At the University of Maryland, College Park (UMD), the day after the outage is the last day of classes, meaning many final projects are due. The Division of IT (DIT) posted guidance for faculty members on its website. At 11:04 p.m. on May 7, it posted that Canvas appeared to be functional again but urged people not to use it, as “DIT Security is not confident the system is safe to use right now.”

Rutgers University began final exams on May 7. In a message to the community, Provost Jason Geary announced that finals for the New Brunswick campus on May 8 would be postponed.

The New Jersey Institute of Technology (NJIT) limited access to Canvas pending further security reviews out of an abundance of caution. The university said that it expected access to be restored by the morning of Friday, May 8.

IMPACTED K12 SCHOOLS

Montgomery County Public Schools (MCPS) in Maryland disabled Canvas (myMCPS Classroom) in response to the cybersecurity incident. The system remains unavailable pending reviews by MCPS technology and security staff.

Princeton High School’s student newspaper, The Tower, in N.J. reported that the district’s chief technology officer wrote in a statement to students and parents that the district reported its Canvas incident to the N.J. Cybersecurity and Communications Integration Cell (NJCCIC) and warned of a potential increase in phishing emails.

References