Skip to main content
Exam Week Chaos

Canvas cyberattack by ShinyHunters locks thousands during finals

ShinyHunters' claimed ransomware attack on Canvas by Instructure during finals week left tens of thousands of students at institutions across North America unable to access exams, coursework and grades, the company said Thursday, as the extortionist group has threatened to publish roughly 3.65 TB of stolen data unless schools contact them and hire cyber advisers.
 |  Friend Caio  | 
Generated by ABN - Copyright free
Generated by ABN – Copyright free

A widespread outage of the Canvas learning management system during finals week followed a ransomware incident claimed by the ShinyHunters extortion group, leaving tens of thousands of students at institutions across North America unable to access exams, coursework, and grades.

Service outage and restoration

Canvas by Instructure experienced an extended maintenance period on Thursday that the company linked to this week's attack. Instructure posted an update late Thursday stating Canvas was available for most users while noting Canvas Beta and Canvas Test remained in maintenance. Despite that update, many users continued to report access problems into Friday, prompting spikes in Downdetector complaints and localized exam disruptions, including at least one university that canceled final exams.

ShinyHunters’ claims and extortion warning

ShinyHunters asserted it had stolen roughly 3.65 TB of data from Instructure, including hundreds of millions of personal messages, and posted affected institutions on a leak site. The group later threatened more than 9,000 schools individually, warning that institutions must contact the actors via a specified channel and consult cyber advisory firms by May 12, 2026, to avoid public disclosure. A follow-up post on the leak site stated the group was inundated with press inquiries and declined further comment.

Defacements and campus impact

Multiple universities reported seeing ShinyHunters’ messages on Canvas login pages before the platform went into maintenance. The University of Pennsylvania was among those whose Canvas instance displayed the extortion notice, according to student reporting. As outages spread, students posted screenshots and updates on social media describing locked exams, failed submissions, and uncertainty during a critical assessment period. Some institutions advised password changes and warned about potential phishing risks tied to the incident.

Data exposure and response

Instructure’s initial investigation indicated exposed information included names, email addresses, student identification numbers, course enrollments, and internal communications. The company stated there was no evidence that passwords, dates of birth, government identifiers, or financial data were included in the exposure and pledged to notify impacted institutions if that assessment changes.

Context within prior attacks

The incident follows a familiar pattern in which cloud-based education technology providers are targeted by ransomware operators. A prior high-profile case involved PowerSchool, whose disruption in late 2024 affected thousands of K–12 institutions and later drove extortion efforts against individual school districts.

Most Read

Friend Caio

Life is a cycle of observing, learning, and taking action.

Latest Technology