Canvas is back online, but questions — and final exam disruptions — linger

The online education platform Canvas went offline on Thursday after a data breach by the hacking group ShinyHunters, leaving 30 million users—including students and faculty at half of North America’s higher education institutions—without access during finals week. The breach followed unauthorized activity detected on April 29, with Instructure, Canvas’s parent company, confirming the outage stemmed from an exploit of its Free-for-Teacher accounts, which were temporarily disabled. ShinyHunters claimed responsibility for the breach, stating it initially accessed data from 275 million users at nearly 9,000 schools worldwide, including private messages. The group demanded affected schools negotiate settlements through the encrypted platform Tox to prevent data leaks, setting a May 12, 2026, deadline. Instructure later clarified that only identifying information like names, email addresses, student IDs, and user messages were compromised, with no exposure of passwords, birth dates, or financial data. Instructure restored Canvas access by Thursday evening, though services like Canvas Beta and Canvas Test remained in maintenance mode. The company attributed the outage to the hacker’s modifications appearing during active user sessions but did not confirm whether a ransom was paid. Cybersecurity expert Rachel Tobac warned users to remain vigilant for phishing attempts, as attackers may exploit the breach to send fraudulent communications. The incident marks the second major breach attributed to ShinyHunters this year, following their involvement in the Ticketmaster data leak in June 2024. While Instructure assured users of an ongoing investigation, the long-term implications for affected schools—including potential legal or reputational risks—remain unclear. Students and faculty affected by the outage reported disruptions to final exams and coursework, though Instructure expressed regret for the inconvenience.