This week, thousands of colleges and universities watched their learning management system get hacked in the middle of finals. Students were locked out. Faculty could not access grades. Private messages between students and professors were stolen. I am genuinely grateful that the University of Hartford was not among them. We are a Blackboard institution, not Canvas. But I have spent the better part of today reading everything I can find about what happened, and I cannot stop thinking about it. This is very possibly the most consequential cybersecurity event in the history of American higher education.
What Happened
On April 29, 2026, Instructure, the parent company of Canvas LMS, first detected unauthorized activity in its systems. Canvas is the learning management system used by roughly 41 percent of higher education institutions in North America and more than 8,000 institutions globally. Thirty million people use it every day. Students submit assignments through it. Faculty post grades through it. Advisors, administrators, and staff communicate through it. It is not a supplementary tool. For the institutions that use it, Canvas is the classroom.
The group responsible for the breach calls itself ShinyHunters. They are a well-documented criminal extortion group described by threat analysts as a loose affiliation of teenagers and young adults operating out of the United States and the United Kingdom. They have a long track record. Their previous targets include Ticketmaster, the University of Pennsylvania, Princeton, Harvard, the European Commission, Amtrak, and an identity protection company called Aura.
ShinyHunters first went public about the Instructure breach on May 3, posting on their dark web leak site and calling it a "final warning." They claimed to have stolen 275 million individual records and more than 3.65 terabytes of data from nearly 9,000 institutions across the United States, United Kingdom, Australia, New Zealand, Sweden, and the Netherlands. They gave Instructure until May 6 to respond and pay a ransom. Instructure applied what the company called security patches and announced the situation was resolved.
It was not resolved. On May 7, students across the country tried to log into Canvas and were met with something they had never seen before. Instead of their coursework, their inbox, their grades, their study materials, they saw a black screen and a message from ShinyHunters. The hackers had defaced login pages across dozens of institutions simultaneously, injecting an HTML file into the login screens to display their ransom demand. "ShinyHunters has breached Instructure (again)," the message read. "Instead of contacting us to resolve it they ignored us and did some 'security patches.'" TechCrunch confirmed it independently. Student newspapers from Harvard to Penn to Duke to Oklahoma published screenshots. The deadline now sits at May 12, 2026. As of this writing, that deadline has not passed.
The Timing Could Not Have Been Worse
May 7 is, for most colleges and universities in the United States, either finals week or the week immediately before it. This was not a coincidence. ShinyHunters chose this moment deliberately. They understood that maximum disruption at maximum vulnerability would put maximum pressure on institutions to pay. And it worked, in the sense that the disruption was total for many students and faculty.
A University of Pennsylvania student was in the middle of studying for finals when he was logged out mid-session. He described it as a surge of immediate anxiety. A UC Riverside senior missed a quiz entirely. A student at a Florida university was in the middle of an active exam when the ShinyHunters message took over his screen. A Columbia senior said it hit at the "most inopportune time," right as students were shifting from end-of-year events into serious exam preparation. Faculty faced a different kind of crisis. At Indiana University, instructors could not enter grades and could not access submitted student work. Faculty across dozens of institutions had to pivot on the spot, scrambling to email study materials directly to students, find alternate submission methods, or simply tell students to wait.
Institutions responded in chaotic and inconsistent ways, which is itself a problem. The University of Illinois postponed all final exams and assignments scheduled through Sunday. Penn State canceled exams scheduled for Thursday night and Friday. James Madison University moved its Friday exams to Wednesday. Baylor University delayed Friday exams and asked faculty to email students any materials saved on local computers. The University of Wisconsin extended the grade submission deadline for all courses to May 14. Yale posted a Microsoft Form so faculty could request access to their own grade data. Georgetown sent a message simply asking faculty to "be flexible where possible." Kent State said it was "very concerned" about further disruptions and noted the breach was affecting tuition billing and financial aid, not just coursework. Every institution was making it up as they went. There is no playbook for this, no backup plan. The LMS usually is the backup plan for most.
Canvas came back online on May 8. Instructure confirmed the attack vector was exploited through Free-For-Teacher accounts, the lower-security open enrollment accounts that do not require institutional identity verification. The company has since shut those accounts down temporarily. They have notified law enforcement, including the FBI and the U.S. Cybersecurity and Infrastructure Security Agency. But is it over? The May 12 deadline still looms.
What Was Actually Stolen
This is where the story gets more complicated than the headlines suggest. Instructure has confirmed that the following data types were involved: full names, email addresses, student ID numbers, and messages exchanged within the Canvas platform. The company has stated there is no evidence that passwords, dates of birth, Social Security numbers, or financial information were compromised. That sounds manageable until you think about what Canvas messaging actually contains. Canvas is not an email system in the way most people think of email. It is an institutional communication tool where students ask professors about failing grades. It is where a student tells an advisor they are struggling with their mental health. It is where a faculty member flags an academic integrity concern. It is where a student with a disability discusses accommodation details. It is where sensitive, protected, deeply personal academic conversations happen every day, under the assumption that those conversations are private.
ShinyHunters claims to have obtained "several billion" private messages from the platform. A spokesperson told the Daily Californian that the stolen data included "student and staff email addresses, names, student IDs, courses enrolled, and tons of private messages." A member of the group shared a verified sample of Penn user data with the Daily Pennsylvanian. The data was real. The full dataset has not been publicly dumped yet. Whether it will be depends on what happens before May 12. But the data is in criminal hands regardless of whether it gets leaked. Cybersecurity experts are already warning that even without a public dump, the combination of institutional email, student ID, course enrollment data, and private messages gives bad actors everything they need to craft highly convincing, deeply personalized phishing attacks targeting students, faculty, and staff. "Once they get this basic information, name, student ID, email, you become an increased risk you'll be targeted," one expert told ABC7. The hackers may also sell the dataset rather than dump it. That is arguably worse. It means the data enters a criminal marketplace where it can be purchased and used by actors with no knowledge of or interest in Instructure, Canvas, or the original breach.
The FERPA Question
FERPA, the Family Educational Rights and Privacy Act, is the federal law that governs the privacy of student educational records. It applies to any institution that receives federal funding. Nearly every college and university in the United States is covered. FERPA protects student records from unauthorized disclosure and gives students certain rights over their own data. Canvas messages between students and faculty are educational records under FERPA. Course enrollment data is an educational record. Grade information is an educational record. If ShinyHunters' claims are accurate, what was stolen represents a FERPA violation on a scale that has never been seen before in American higher education. Legal experts and academics began calling it that on May 7, the day the defacements hit. One widely shared social media post described it bluntly as potentially the largest FERPA violation in U.S. history.
FERPA enforcement has historically been light. The U.S. Department of Education has rarely taken aggressive action against institutions for data breaches, particularly when the breach originates with a third-party vendor. The standard argument from institutions is that they cannot be held liable for a vendor's security failure, as long as the institution had appropriate data sharing agreements in place. That argument is about to be tested at a scale that could redefine it entirely. If the breach is as large as claimed, the Department of Education will face significant pressure to respond. Affected students and families will likely pursue legal action. Class action attorneys were already circling within 24 hours of the breach becoming public. And institutional legal teams are going to be spending a lot of time in the coming months reviewing their data sharing agreements with Instructure and determining whether those agreements were sufficient.
What This Means for Everyone Involved
Students
The immediate impact was disruption. Missed quizzes, delayed exams, lost access to study materials, anxiety at the worst possible moment in the academic year. That part will pass. The longer-term risk is more serious. Students whose data was stolen face elevated phishing risk for the foreseeable future. Anyone who received a direct ransomware contact through Canvas, which San Diego State reported was happening on May 7, should take it seriously and report it. Students should be on high alert for suspicious emails that appear to come from instructors, advisors, or university offices, particularly if those emails reference specific courses, grades, or personal circumstances. That specificity is exactly what makes this dataset valuable to bad actors. Students should also be aware that their private Canvas messages may ultimately be exposed.
Faculty
Faculty face overlapping concerns. Their own personal data was stolen. Their communications with students were potentially compromised. And they were placed in an impossible position operationally, asked to redesign exams and assessment timelines in real time while also trying to communicate with students through channels other than the tool they normally use for exactly that purpose. The deeper concern for faculty is the erosion of trust in the institutional systems they depend on. If Canvas messaging is no longer confidential, faculty may reasonably hesitate to use it for sensitive academic conversations.
Faculty face overlapping concerns. Their own personal data was stolen. Their communications with students were potentially compromised. And they were placed in an impossible position operationally, asked to redesign exams and assessment timelines in real time while also trying to communicate with students through channels other than the tool they normally use for exactly that purpose. The deeper concern for faculty is the erosion of trust in the institutional systems they depend on. If Canvas messaging is no longer confidential, faculty may reasonably hesitate to use it for sensitive academic conversations.
Institutions
Every institution on that list of 8,809 schools needs to be doing three things right now. First, communicating clearly and honestly with students, faculty, and staff about what was exposed and what the risks are. Second, preparing for potential FERPA inquiries and legal actions. Third, seriously evaluating their dependency on any single platform for this many critical functions. The breach has exposed something important about how higher education has structured its digital infrastructure. Canvas became so central to so many institutions that losing it for even 24 hours created cascading failures in assessment, communication, grade reporting, and financial operations. That is a single point of failure at institutional scale. The question every CIO, academic technology director, and provost should be asking right now is: what is our continuity plan if our LMS goes down for an extended period, and do we have one? For institutions that do not have a robust continuity plan, this is the moment to build one.
Instructure
Instructure is in a very difficult position. The company confirmed the initial breach, applied patches, declared the situation resolved, and then watched the same group deface their platform again 48 hours later using the same vulnerability. ShinyHunters said it publicly: "Instead of contacting us to resolve it they ignored us and did some 'security patches.'" Whether that characterization is accurate or not, the optics are damaging. The company is now managing a public relations crisis, a law enforcement investigation, a forensic security investigation, and active extortion pressure simultaneously, during the most operationally critical week of the academic year for their customers.
They have done some things right. They notified institutions. They engaged law enforcement. They brought the platform back online quickly. They are communicating through their status page. But the gap between what their status page says, which reported 100 percent uptime on May 7 and 8 despite documented global outages, and what institutions and students were actually experiencing is a credibility problem. When the people relying on you for accurate information cannot trust your status reporting, everything else becomes harder. Instructure will face regulatory scrutiny, likely litigation, and deep questions about their security posture from every institution in their customer base. The long-term commercial consequences of this event could be significant.
Instructure is in a very difficult position. The company confirmed the initial breach, applied patches, declared the situation resolved, and then watched the same group deface their platform again 48 hours later using the same vulnerability. ShinyHunters said it publicly: "Instead of contacting us to resolve it they ignored us and did some 'security patches.'" Whether that characterization is accurate or not, the optics are damaging. The company is now managing a public relations crisis, a law enforcement investigation, a forensic security investigation, and active extortion pressure simultaneously, during the most operationally critical week of the academic year for their customers.
They have done some things right. They notified institutions. They engaged law enforcement. They brought the platform back online quickly. They are communicating through their status page. But the gap between what their status page says, which reported 100 percent uptime on May 7 and 8 despite documented global outages, and what institutions and students were actually experiencing is a credibility problem. When the people relying on you for accurate information cannot trust your status reporting, everything else becomes harder. Instructure will face regulatory scrutiny, likely litigation, and deep questions about their security posture from every institution in their customer base. The long-term commercial consequences of this event could be significant.
What Comes Next
Several things are certain. The May 12 deadline will either result in a data dump, a payment, or a negotiation. Any of those outcomes carries significant consequences. Litigation will follow. Regulatory inquiries will follow. And every institution in higher education, Canvas customer or not, will be asking hard questions about their LMS security posture and their data governance practices. One thing that is less certain but increasingly urgent is what happens to the students whose private messages are sitting in a 3.65-terabyte dataset held by criminals. Those students did not consent to this. They used Canvas because their institutions required them to. They communicated in good faith through a platform they had no reason not to trust. Whatever FERPA says, whatever data sharing agreements say, whatever the liability analysis ultimately concludes, those students deserve honest and direct communication from every institution involved.
A Final Thought
I said at the start that the University of Hartford uses Blackboard, not Canvas. We were not affected. But I want to be clear about what I mean when I say that. Our students were not disrupted during finals week. Our faculty were not scrambling to restructure exams. Our data was not stolen. For that, I am genuinely grateful. But I work in higher education. The students who could not access their study materials on May 7 are the same kind of students I work with every day. The faculty who had to send emergency emails to their classes are the same kind of faculty I support. I myself am also faculty. I teach too. I could have been one of those faculty impacted by this. And the administrators trying to make real-time decisions with incomplete information are the same kind of administrators I work alongside.
Sources
The following articles and reports informed this post. I encourage you to read them directly.
__________________________
Institutional Alerts and University Responses
Rutgers University Office of Information Technology. "Nationwide Security Breach Involving Canvas." Rutgers IT Alerts, May 4, 2026. https://it.rutgers.edu/alerts/2026/05/04/nationwide-security-breach-involving-canvas/
University of California Office of the President. "Nationwide Security Breach Involving Canvas." UCnet, updated May 7, 2026. https://ucnet.universityofcalifornia.edu/employee-news/nationwide-security-incident-involving-canvas/
University of Wisconsin Registrar. "Updates on Canvas Outage." UW Registrar, May 7, 2026. https://registrar.wisc.edu/updates-on-canvas-outage/
__________________________
News Coverage
Burke, Minyvonne, et al. "Canvas Hack: What We Know About the Apparent Cyberattack Impacting Thousands of Schools." CNN, May 7, 2026. https://www.cnn.com/2026/05/07/us/canvas-hack-strands-college-students-finals-week
Lybrand, Holmes. "Canvas is Back Online, But Questions and Final Exam Disruptions Linger." NPR / WAER, May 8, 2026. https://www.waer.org/2026-05-08/canvas-is-back-online-but-questions-and-final-exam-disruptions-linger
"'Security Patches' Put Student Learning System Back Online After Hack." WRAL, May 8, 2026. https://www.wral.com/news/education/canvas-shinyhunters-ransom-instructure-hack-data-breach-may-2026/
"Canvas Hacked: Data Breach Affects Schools Nationwide; University of Illinois Postpones Final Exams, Assignments." ABC7 Chicago, May 7, 2026. https://abc7chicago.com/post/canvas-hacked-data-breach-affects-schools-nationwide-including-university-illinois-isu/19060406/
"Canvas Hacked, Faculty Unable to Enter Grades During Finals." Indiana Public Media, May 7, 2026. https://www.ipm.org/news/2026-05-07/canvas-hacked-faculty-unable-to-enter-grades-during-finals
"Canvas Outage Hits Students at Multiple Universities During Finals." Fox News, May 7, 2026. https://www.foxnews.com/us/hackers-threaten-leak-data-275m-users-breaching-major-college-platform-used-nationwide
"Canvas Cybersecurity Breach Disrupts Thousands of Colleges, Universities as Finals Loom." University Herald, May 8, 2026. https://www.universityherald.com/articles/80334/20260508/canvas-cybersecurity-breach-disrupts-thousands-colleges-universities-finals-loom.htm
"What to Know About the Canvas Cyberattack." TIME, May 8, 2026. https://time.com/article/2026/05/08/canvas-cyber-attack-shinyhunters-hack-what-to-know/
"Hackers Target Canvas Again." Inside Higher Ed, May 7, 2026. https://www.insidehighered.com/news/quick-takes/2026/05/07/hackers-target-canvas-again
Franceschi-Bicchierai, Lorenzo. "Hackers Deface School Login Pages After Claiming Another Instructure Hack." TechCrunch, May 7, 2026. https://techcrunch.com/2026/05/07/hackers-deface-school-login-pages-after-claiming-another-instructure-hack/
"Cyberattack on Canvas Potentially Compromises Millions of Users' Personal Information." KUTV, May 6, 2026. https://kutv.com/news/local/cyberattack-on-canvas-potentially-compromises-millions-of-users-personal-information
__________________________
Student Newspaper Reporting
"Cybercrime Group Crashes Penn's Canvas System, Demands Ransom to Prevent Data Release." The Daily Pennsylvanian, May 7, 2026. https://www.thedp.com/article/2026/05/penn-canvas-shinythunters-data-breach-hack-second
"Over 300,000 Penn Users Affected in Canvas Hack, Cybercrime Group Claims." The Daily Pennsylvanian, May 6, 2026. https://www.thedp.com/article/2026/05/penn-cybercrime-shiny-hunters-canvas-hack-students
"Duke Among 9,000 Schools Affected by Canvas Cyberattack." The Duke Chronicle, May 7, 2026. https://www.dukechronicle.com/article/duke-university-among-institutions-affected-by-canvas-cyberattack-shinyhunters-instructure-hack-data-leak-cybersecurity-20260507
"Harvard Canvas Site Goes Down After University Listed in Instructure Breach." The Harvard Crimson, May 8, 2026. https://www.thecrimson.com/article/2026/5/8/canvas-breach-down/
"Canvas Hack Prompts Privacy Concerns and Delayed Final Grade Deadline." Yale Daily News, May 7, 2026. https://yaledailynews.com/articles/canvas-hack-prompts-privacy-concerns-and-delayed-final-grade-deadline
"Cybercrime Group Claims 600K Records Stolen from UC Berkeley Canvas Amid Nationwide Blackout." The Daily Californian, May 7, 2026. https://www.dailycal.org/news/campus/cybercrime-group-seizes-uc-berkeley-canvas-600k-student-staff-records-at-risk/article_5b3b01de-bcad-45a1-994b-e0d19aa88591.html
"OU, Norman Public Schools Part of Worldwide Canvas Hack." OU Daily, May 7, 2026. https://www.oudaily.com/news/canvas-hack-data-breach-ou-criminal-extortion-security/article_358fb651-5b28-4c87-8a61-e59f34c67015.html
__________________________
Cybersecurity Coverage
Arntz, Pieter. "Millions of Students' Personal Data Stolen in Major Education Breach." Malwarebytes, May 6, 2026. https://www.malwarebytes.com/blog/news/2026/05/millions-of-students-personal-data-stolen-in-major-education-cyberattack
"ShinyHunters' Instructure Canvas LMS and Vimeo Breaches Impact Millions of Users." Hackread, May 6, 2026. https://hackread.com/shinyhunters-instructure-canvas-lms-vimeo-data-breach/
"Canvas Breach? Hackers Threaten to Leak Messages of 275M Users." Cybernews, May 3, 2026. https://cybernews.com/security/canvas-lms-shinyhunters-data-breach/
"Harvard, MIT, Oxford Among 8,000+ Schools Caught in Canvas Breach." Cybernews, May 7, 2026. https://cybernews.com/security/anvas-lms-breach-universities-data-leak/
"Instructure Confirms Canvas Breach as ShinyHunters Lists Stolen Data." SQ Magazine, May 2026. https://sqmagazine.co.uk/instructure-canvas-shinyhunters-data-leak/
__________________________
Reference
"2026 Canvas Security Incident." Wikipedia, last updated May 8, 2026. https://en.wikipedia.org/wiki/2026_Canvas_security_incident
Tags
Education