Instructure's Canvas hit by attack

Canvas is the software layer a lot of schools run on now — assignments, grades, messages, lecture files, the whole academic workflow. That is why Thursday’s disruption hit so hard. Instructure, the company behind Canvas, put parts of the service into maintenance mode on May 7 while it dealt with a cyberattack, and the timing could hardly have been worse: many colleges were already in finals. Instructure had already disclosed a security incident on May 1 and said on May 2 that it appeared contained, but the story clearly did not end there. (status.instructure.com) ### What actually broke? Canvas, Canvas Beta, and Canvas Test were placed into maintenance mode on May 7. Instructure’s status history shows the company first said it was investigating, then later said Canvas was available for most users while Beta and Test stayed in maintenance, and finally said broader access had returned. For students and instructors, that meant the practical stuff broke — logging in, pulling course mat(status.instructure.com)g whether deadlines still counted. (status.instructure.com) ### What data is believed to be exposed? Instructure’s own update is narrower than the hackers’ boast, but still serious. The company says the information involved so far includes names, email addresses, student ID numbers, and messages among users. It also says it has found no evidence that passwords, dates of birth, government identifiers, or financial information were involved. That distinction matters, but it does not (status.instructure.com)inked records are still sensitive, especially when they belong to minors, students, and faculty. (status.instructure.com) ### Who is claiming responsibility? The extortion group ShinyHunters is claiming the attack. News reports say the group alleged it stole data tied to more than 275 million people and around 9,000 schools, and claimed a haul of 3.65 terabytes. Those numbers come from the attackers, so treat them as claims, not settled fact. But the reason people are taking them seriously is simple — Instructure has already confirmed a real incident and real data exposure. (nytimes.com) ### Why did this feel bigger than a normal outage? Because Canvas is not just another app tab. For many campuses, it is the operating system for teaching. When one vendor sits in the middle of class materials, grading, announcements, and submissions, a security incident stops being an IT problem and turns into an academic operations problem. Finals week makes that even sharper — the outage lands exactly when deadlines bunch up and nobody has slack. (apnews.com) ### Didn’t Instructure say it was contained? Yes — and that is one of the most revealing parts of the story. Instructure said on May 2 that it believed the incident had been contained, had revoked privileged credentials and access tokens, deployed patches, rotated certain keys, and increased monitoring. Then on May 6 it said Canvas was fully operational and it was no(apnews.com)arily mean a brand-new breach happened that day; it could also mean containment and recovery were messier than the first updates suggested. That last part is an inference, but it fits the timeline. (status.instructure.com) ### Is this connected to a broader pattern? Looks like it. Instructure disclosed a separate September 2025 security issue involving social engineering and its Salesforce instance, though it said then that no product or product data was accessed. So this is not proof of one continuous campaign, but it does show the company has been dealing with repeated security pressure across different systems. For schools, the lesson is not just “one breach happened.” It is that vendor risk can stack. (instructure.com) ### What should schools and users take from this? The immediate advice from Instructure is practical — enforce MFA on privileged accounts, review admin access, and rotate API tokens or keys where applicable. The bigger takeaway is structural. Schools have centralized enormous amounts of teaching and student data into a few platforms because it is efficient. But efficiency has a catch: when one platform stumbles, thousands of institutions stumble together. (status.instructure.com) ### Bottom line? This was not just a website going down. It was a reminder that digital campus infrastructure is now critical infrastructure — and when it fails during finals, the blast radius is immediate. (apnews.com)