Education technology company Instructure took its Canvas learning management system offline Thursday during a cybersecurity incident, making the platform unavailable at schools nationwide and disrupting exams, coursework and grading during finals week.
The outage escalated an incident that schools had been warning about for several days as a data-security matter. Earlier campus notices focused on exposed Canvas user information, including names, email addresses, student ID numbers and messages. By Thursday, students and faculty were losing access to the course sites themselves.
Canvas is widely used by K-12 schools, colleges and universities to post assignments, quizzes, grades, course materials and messages.
St. Petersburg College said Thursday that Instructure had temporarily taken Canvas offline “for all institutions” while responding to the cybersecurity incident. The college said it first received notice May 4 of a recent data breach affecting colleges, universities and other organizations.
Baylor University said Thursday evening that Canvas was unavailable universitywide and described the outage as a nationwide issue. The university said several institutions had reported that Canvas access was blocked by a ransom notice and that Instructure took the platform offline in response.
The outage followed a new ShinyHunters message that appeared on Canvas login pages Thursday, according to Inside Higher Ed and BleepingComputer. The group claimed it had breached Instructure “again,” accused the company of applying security patches instead of negotiating and set a May 12 deadline for affected schools to contact it before data would allegedly be leaked. DysruptionHub could not independently confirm the group’s claim, and Instructure had not publicly confirmed a second breach.
James Madison University said Canvas sites at universities worldwide, including JMU, were down “in response to a security breach.” The university delayed Friday morning exams and told faculty to prepare for exams and grading without Canvas access.
The reports helped explain the shift in campus alerts Thursday. From at least May 4 through May 6, many schools treated the incident as a vendor data breach and phishing risk. On May 7, they began issuing outage alerts as Canvas became unavailable during exams, grading and end-of-term coursework.
The University of Texas at Austin had said earlier in the week that it was aware of a vendor security incident affecting Instructure but that Canvas continued to operate normally at the time. Rutgers University said Instructure notified it of a widespread data breach involving thousands of institutions.
Chip in once
If this reporting helped you, a one-time tip helps cover hosting, tools and future investigations.
Support us monthly
A small monthly pledge keeps independent coverage and our reader tools online for everyone.
Instructure is based in Salt Lake City and provides education technology for K-12 schools, colleges and universities. Canvas is one of its core products, used to manage course materials, assignments, quizzes, grades and messages.
The outage is one of the more visible recent examples of an education technology vendor incident becoming a direct school disruption. A 2022 ransomware attack on Finalsite knocked thousands of school websites offline, while later incidents involving PowerSchool, Illuminate Education and Infinite Campus focused more heavily on student data exposure or narrower service interruptions. Canvas was different because schools reported losing access to a core classroom platform during exams, grading and end-of-term coursework.
The Verge reported that the extortion group ShinyHunters threatened to leak school data and claimed access to information from more than 9,000 schools and about 275 million people. DysruptionHub could not independently confirm the group’s claim, and schools’ public notices did not confirm a threat actor.
Officials have not publicly established a full restoration timeline, the number of affected U.S. institutions, the full scope of exposed data or whether a ransom demand was made directly to Instructure or individual schools.
A request for comment sent to Instructure late Thursday was not immediately returned.
As of Thursday evening, schools were warning users not to interact with suspicious Canvas messages, adjusting exams and grading plans, and waiting for further restoration updates from Instructure.
