Canvas Learning System Suffers Major Data Breach, Thousands of Institutions Affected

Key facts

• The Canvas learning management system experienced a significant security incident and outage on May 7, 2026.
• Thousands of educational institutions globally, including major US universities, were affected.
• The hacking group ShinyHunters claimed responsibility for the data breach at Instructure, Canvas's parent company.
• ShinyHunters alleges it accessed data from over 275 million individuals across nearly 9,000 schools worldwide.
• The incident disrupted classes, coursework, and exams during spring finals week for many students.
• Instructure stated that Canvas was available for most users by late May 7.
• The University of California temporarily blocked Canvas access as a precautionary measure.

Widespread Disruption Hits Educational Institutions

A widespread security incident and subsequent outage struck the Canvas learning management system on May 7, 2026, causing significant disruption for students and educators across the United States. The platform, used by thousands of schools and universities, became inaccessible for hours, impacting access to grades, course materials, and critical academic functions. Colleges and universities nationwide, including prominent institutions like the University of Michigan, Harvard University, and Pennsylvania State University, alerted their communities to the problem. The timing of the incident proved particularly disruptive, occurring during spring finals week for many, jeopardizing coursework and examinations. Instructure, the company behind Canvas, confirmed a cyber incident affecting its cloud-hosted environment. Canvas had more than 30 million active users worldwide and served over 8,000 institutions.

ShinyHunters Claims Responsibility for Breach

The hacking group ShinyHunters has claimed responsibility for the data breach at Instructure, the parent company of the Canvas learning management system. According to reports, ShinyHunters stated it had accessed data from an extensive number of individuals, potentially affecting students, teachers, and staff. This group has a documented history of compromising global corporations. In April, ShinyHunters claimed to have stolen nearly 80 million business records from the video game developer Rockstar Games, known for the Grand Theft Auto franchise. ShinyHunters shared a list of 8,809 school districts, universities, and online education platforms with BleepingComputer, asserting that their Canvas instances were impacted. The alleged per-institution record counts ranged from tens of thousands to several million.

Scope of Data Compromise and Institutional Response

ShinyHunters alleges that the breach compromised personal data from approximately 275 million individuals across the Canvas platform. The group's claims suggest that data from nearly 9,000 schools worldwide may have been accessed, impacting students, teachers, and other staff. Educational institutions responded with varying degrees of caution and action. The University of California, as a precautionary measure, instructed all its locations to temporarily block or redirect Canvas access. This measure would remain in place until the university was confident in the system's security. Other universities, like the University of Michigan, temporarily removed access to Canvas while their IT teams investigated and took steps to protect university systems and data. Students logged into Canvas were advised to log out immediately.

Impact on Students and Recommended Precautions

The disruption to Canvas meant that students were unable to access essential academic resources during a critical period. Pennsylvania State University noted that tests and assignments scheduled to be completed on Canvas would not be available, with resolution potentially extending beyond 24 hours. In response to the breach, Instructure advised users to change passwords for Canvas and any other accounts where the same password might have been reused. The company also recommended enabling multi-factor authentication (MFA) wherever possible to enhance account security. Parents were advised to verify the authenticity of any notifications received from schools or Instructure, especially those exhibiting suspicious links or demanding immediate action. They were also encouraged to inquire about specific data compromised and any protection services offered for minors, such as credit monitoring or identity restoration.

System Restoration and Ongoing Vigilance

By late on May 7, Instructure announced that Canvas was "now available for most users." Earlier in the day, the company had stated that Canvas and related sites were placed "in maintenance mode" while it investigated login difficulties for student ePortfolios. The University of California stated it would continue to monitor the situation and evaluate next steps, emphasizing that protecting personal and institutional information remained its highest priority. The university committed to working with its partners to understand the full impact on students and faculty. Educational institutions continue to encourage community members to remain vigilant against potential phishing attempts. They remind users that universities will never request sensitive personal information like passwords, Social Security numbers, or bank account details via email or text.

The bottom line

• The Canvas learning management system experienced a significant security incident and outage on May 7, 2026, affecting thousands of educational institutions.
• The hacking group ShinyHunters claimed responsibility, alleging the theft of data from over 275 million individuals across nearly 9,000 schools.
• The incident disrupted academic activities, including coursework and exams, during a critical finals week for many students.
• Instructure, the parent company of Canvas, confirmed the cyber incident and worked to restore services, with most users regaining access by late May 7.
• Educational institutions implemented security measures, including temporary access blocks and advisories for password changes and multi-factor authentication.
• Users are urged to remain vigilant against phishing attempts and protect personal information, as universities will not request sensitive data via unsolicited communications.