A cyberattack on Canvas, the learning platform used by universities around the world, knocked the system offline during finals week. Students locked out of their grades, assignments, and exam materials at the worst possible time.
Here’s what you need to know, and what it means for your education.
What happened to Canvas?
Canvas is a digital platform universities use to post lectures, collect assignments, run exams, and communicate with students. Hackers broke in, forcing the platform offline.
The attackers were ShinyHunters, a group known for stealing data and demanding money to keep it quiet. They exploited a vulnerability in Canvas’s “Free-for-Teacher” accounts—a version schools use to train educators. Instructure, the company that runs Canvas, shut the platform down to stop the damage.
During the outage, Canvas login screens reportedly showed a ransom message: schools were warned to make contact before a May 12, 2026, deadline to prevent stolen student data from being published. The hackers claimed to have stolen information on millions of students, teachers, and staff across thousands of schools.
What data was stolen?
The attackers got usernames, email addresses, student IDs, and private messages between students and teachers. They did not get passwords or financial details, according to Instructure.
But that’s still dangerous. With your real name, student ID, and school email, hackers can craft convincing phishing messages (fake emails pretending to be from your lecturer or university) to trick you into giving away more information or downloading malware.
Why did this hurt students so much?
Finals week. Students couldn’t access study materials, submit assignments, or see exam schedules. Some universities postponed exams; others asked lecturers to extend deadlines.
For a student in the middle of revision or sitting for an exam, sudden platform collapse is chaos.
Has ShinyHunters done this before?
Yes. The group has breached Ticketmaster, Rockstar Games, and others. This was also not Canvas’s first run-in with ShinyHunters—they targeted Instructure’s business systems in September 2025, though that attack didn’t hit the Canvas product itself.
The pattern is clear: ShinyHunters knows how to find weak spots and come back.
What should you do?
If you’re a Canvas user: Watch for suspicious emails claiming to be from your university or lecturers, especially ones asking you to “verify” your details or click links. Don’t reply to those. Contact your school’s IT department directly if you’re unsure.
If you’re a university IT manager: This is a wake-up call. Relying on a single platform for exams, grades, and communication is risky. You need backup systems and stronger security checks. Test your disaster recovery plan now, not during finals.
For schools: Consider diversifying platforms—don’t put all classes on one system. Require multi-factor authentication (two-step login). Train staff to spot phishing. And make sure you have offline access to critical information like exam schedules and student records.
Canvas has reportedly come back online, and ShinyHunters has reportedly removed Instructure from its “Pay or Leak” portal, suggesting negotiations may be underway. But the stolen data is still out there. Until that data is secured or deleted, the risk remains real.
Leave a Reply