Canadian universities affected by cyberattack on Canvas system used by thousands of schools as finals loom

A cyberattack on Instructure’s Canvas learning management system left thousands of schools worldwide offline on May 7, 2026, disrupting academic operations as students prepared for finals. The hacking group ShinyHunters took credit for the breach, which affected nearly 9,000 institutions, including Canadian universities like the University of Toronto (Quercus) and the University of British Columbia (UBC). Both universities confirmed their systems were unavailable, advising users to change passwords if they accessed Canvas after 12 p.m. PT. ShinyHunters posted screenshots online, warning of data leaks unless demands were met by May 12, suggesting ongoing negotiations over extortion payments. The group previously targeted education systems, including PowerSchool, and has ties to attacks on Ticketmaster. Universities like Virginia Tech and the University of Iowa also reported disruptions, with officials urging patience as they worked to restore services. Canvas, used for grades, assignments, and lectures, became a prime target due to its vast repository of sensitive student data. The attack highlights growing risks for digital education systems, which now store records once kept in physical, secure formats. Instructure has not publicly addressed the incident, leaving affected institutions to manage communications and security advisories independently. School districts, including Spokane Public Schools, assured parents no sensitive data was exposed, though the breach underscores broader vulnerabilities in K-12 and higher education technology. The University of Iowa’s IT director called it a ‘national-level cybersecurity incident,’ while Harvard’s student newspaper confirmed the system outage. The disruption has forced institutions to adapt quickly, with updates shared via emails and status pages as resolutions remain unclear.