Jump to content

2026 Canvas security incident

Add links
Page semi-protected
From Wikipedia, the free encyclopedia

2026 Canvas security incident
Canvas LMS's logo
Image of message that appeared on the Canvas webpage for users logging in on May 7, 2026.
An editor has nominated the above file for discussion of its purpose and/or potential deletion. You are welcome to participate in the discussion and help reach a consensus.
DateOngoing
LocationInternational
PerpetratorShinyHunters

The 2026 Canvas security incident is an ongoing cybersecurity incident, outage, and data breach affecting Canvas LMS, a learning management system operated by private company Instructure.[1] In early May 2026, Instructure disclosed that it was investigating a cybersecurity incident involving certain user data, including names, email addresses, student ID numbers, and messages among users.[2] The company said it had found no evidence that passwords, dates of birth, government identifiers, or financial information were involved in the hacking.[3]

Despite Instructure's claim that the situation had been resolved, on May 7, Canvas was hacked again; its login page was replaced with a ransomware message by ShinyHunters, the criminal hacking group which claimed responsibility. ShinyHunters threatened to release Canvas' sensitive data unless its ransom was paid by the end of May 12.[4][5] As of May 8, however, Instructure reported on their status page no incidents related to the May 7-8 hack, and claimed that access to their website had been restored to most users.[6] However, San Diego Community College District students received a message from the District, alerting them to students experiencing incidents of attempted extortion by these hackers.[7]

The hack is considered the largest educational security breach on record as of 8 May 2026 due to its unprecedented global scale, affecting 8,809 universities, educational ministries, and other institutions worldwide.[8] The breach had particularly significant implications in the United States, where Canvas is used by 41% of higher education institutions[9] as well as some K-12 schools.[8] The hacking group ShinyHunters claimed to have stolen 3.65 terabytes of data (approximately 275 million records), including private messages exchanged between students and teachers.[10]

The incident came to wider public attention on May 7 at approximately 1:20 p.m. PDT (UTC-7) when students began posting on Reddit screenshots of the defaced Canvas log-in page.[8]

Background

See also: Instructure

Canvas is a commercial learning management system offered by Utah, United States-based company Instructure. The software assists with managing coursework, assignments, quizzes, exams, and grades, as well as facilitating communication between instructors and students.[11]

In 2026, Instructure provided Canvas to approximately 30 million active participants at over 8,000 educational institutions in the United States, United Kingdom, Canada, Australia, New Zealand and some European nations. The platform is the most widely adopted learning management system in North American higher education where 41% of institutions use the software.[11][12]

Breach and outage

On May 1, Instructure announced on their status page that a cyber security incident had occurred. On May 2, Instructure announced they had contained the issue, but names, email addresses, ID numbers, and messages had been stolen for ransom.[13] ShinyHunters posted a ransom note claiming responsibility for the attack on May 3. On May 6, Instructure stated that their Canvas system was back to normal operation and they had found no evidence that passwords, dates of birth, government identifiers, or financial information were involved.[3][14]

On May 7, ShinyHunters wrote that Instructure had tried to implement security patches rather than negotiate with the hackers. This prompted the group to cause an outage where their new ransom note was displayed to every user. At 8pm eastern time, Instructure replaced the ransom note message with an alert stating their software was down for maintenance.[13] The outage occurred during the end of the academic year for many institutions, including during final exam periods at some colleges and universities.[4] Attempted log-ins simply yielded the following message (partial transcript):[15] 

SHINYHUNTERS rooting your systems since '19 ;) ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some "security patches". 

⚠ WARNING If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately to negotiate a settlement. You have till the end of the day by 12 May 2026 before everything is leaked.

Instructure still has until EOD 12 May 2026 to contact us.

However, more often, a screen was shown simply saying that Canvas was down for maintenance. ShinyHunters claimed that nearly 9,000 schools worldwide[16] were affected, though the full scope of the breach has not been independently verified as of May 9, 2026.[4][12]

Canvas resumed operations several hours after investigating the unauthorised access, later confirming that the exploit was caused by an issue related to its Free-For-Teacher accounts.[17] Some institutions waited to verify the security of their systems before activating Canvas on the afternoon of May 8.[18] Instructure has yet to state whether it paid a ransom or issue an update regarding the compromised data.[19]

Impact

Educational institutions in the United States, Canada, United Kingdom, New Zealand,[20] Australia,[21] Sweden,[22] the Netherlands,[23] and Singapore[24] reported disruptions or potential exposure of user information.

Affected academic institutions in the US include, but are not limited to, all Ivy League schools, Pennsylvania State University, University of Illinois, James Madison University, University of Nebraska-Lincoln, Georgetown University, Oregon State University, University of Michigan, Rutgers University, University of California, San Diego State University, University of Washington, University of Chicago, Baylor University, University of Maryland, University of North Carolina at Chapel Hill, University of Oklahoma, University of Iowa, Iowa State University, Texas Tech University, Northwest Arkansas Community College, San Diego Community College District, Universities of Wisconsin, Georgia Institute of Technology, Virginia Tech and Duke University.[25] For example, the University of California system said its Canvas login pages had displayed a suspicious message from the threat actor and they instructed UC locations to temporarily block or redirect Canvas access "out of an abundance of caution."[26] ABC15 reported that finals were disrupted at Arizona State University, with end-of-school activities and celebrations temporarily halted and ASU themselves saying, "ASU is aware of an incident that has affected Canvas, the online platform students and faculty use to access courses and submit work, that has resulted today in users being redirected and rendering the platform inaccessible at this time. This incident is unrelated to any ASU-managed system."[27] CBS Sacramento reported that Sacramento State students attempting to log into Canvas were redirected to a page displaying a message attributed to ShinyHunters, which claimed that student and faculty data had been obtained, and threatened to leak it unless a ransom was paid.[5] ABC-owned local stations also reported impacts or monitoring by institutions including the University of Pennsylvania, Wake County Public Schools, and Duke University.[28][29]

In Australia, ABC News reported that universities, vocational providers, and some state schools were affected, and that the federal government's National Office of Cyber Security was coordinating a response.[3] Several universities, including the University of Melbourne, University of Technology Sydney, Royal Melbourne Institute of Technology, Griffith University, Adelaide University[30], and University of Canberra are offering extensions on assignments to affected students. University of Technology Sydney, Adelaide University, and the Queensland Department of Education have temporarily disabled access to Canvas systems as a preventative measure until the situation is resolved and are warning staff and students of potential phishing or scam emails.[31] Queensland Minister of Education John-Paul Langbroek said the attack impacted the data of 200 million people. Queensland Teachers' Union called for investigation for what caused the breach and how similar attacks could be thwarted. Both Instructure and several Australian officials commenced investigations.

In Canada, at least eight universities and colleges have been affected and some schools have stopped access to Canvas.[32]

In the Netherlands, 44 educational institutions have been affected.[33] Several universities disconnected Canvas from their internal systems.[34]

In Hong Kong, five institutions, including three universities, are affected.[35]

In New Zealand, University of Auckland, AUT and Victoria University of Wellington were affected as was Kristin School.[36]

See also

References

  1. ^ Kaleem, Jaweed (May 8, 2026). "Massive Canvas data breach hits colleges across California and nation, crippling student work". Los Angeles Times. Retrieved May 8, 2026.
  2. ^ "Security incident update & FAQs". Instructure. Archived from the original on May 8, 2026. Retrieved May 9, 2026.
  3. ^ a b c "Canvas data breach leaves education providers scrambling as student data compromised". ABC News. May 7, 2026. Retrieved May 7, 2026.
  4. ^ a b c Hollingsworth, Heather (May 7, 2026). "Cyberattack hits Canvas system used by thousands of schools as finals loom". Associated Press. Retrieved May 7, 2026.
  5. ^ a b Halbleib, Brady (May 7, 2026). "Sacramento State caught in nationwide cyberattack targeting online learning platform". CBS Sacramento. Retrieved May 7, 2026.
  6. ^ "Canvas is Available for Most Users. Canvas Beta and Canvas Test are still in maintenance". Instructure Status. May 7, 2026. Archived from the original on May 8, 2026. Retrieved May 9, 2026.
  7. ^ "mySDCCD Info Hub - mySDCCD Wiki". mysdccd.atlassian.net. Retrieved May 9, 2026.
  8. ^ a b c Koebler, Jason (May 8, 2026). "'The Biggest Student Data Privacy Disaster in History': Canvas Hack Shows the Danger of Centralized EdTech". 404 Media.
  9. ^ "North American higher ed LMS market share by count of institutions".
  10. ^ Mousqueton, Julien. "Victim: Instructure Holdings, Inc. (Canvas LMS, instructure.com) – shinyhunters". Ransomware.live. Retrieved May 9, 2026.
  11. ^ a b "Universities around the world scramble after cyberattack disrupts student portals". The Economic Times. May 8, 2026. Retrieved May 9, 2026.
  12. ^ a b Palmer, Kathryn (May 5, 2026). "'Pay or leak': Hackers target big higher ed vendor". Inside Higher Ed. Retrieved May 7, 2026.
  13. ^ a b Ziegler, Hannah (May 7, 2026). "Canvas Online Learning Platform Shut Down for Hours After Cyberattack". The New York Times. Retrieved May 8, 2026.
  14. ^ "Confirmed Security Incident - Incident Report for Instructure". Instructure Status. Instructure. May 6, 2026. Retrieved May 7, 2026.
  15. ^ Kan, Michael (May 8, 2026). "Hack Shuts Down Canvas, an Online System Used by Thousands of Schools". PCMAG.
  16. ^ Paganini, Pierluigi (May 5, 2026). "Educational tech firm Instructure data breach may have impacted 9,000 schools".
  17. ^ "Security Incident Update & FAQs". Instructure. Archived from the original on May 8, 2026. Retrieved May 9, 2026.
  18. ^ "Oregon State University Information Services Status Dashboard". Oregon State University. Corvallis, Oregon, United States: Oregon State University. May 8, 2026. Archived from the original on May 9, 2026.
  19. ^ Hollingsworth, Heather; Williams, Corey (May 8, 2026). "Canvas system is online after a cyberattack disrupted thousands of schools". AP News. Retrieved May 8, 2026.
  20. ^ Forman, Luka (May 8, 2026). "New Zealand students' details caught up in massive global university hack". RNZ. Radio New Zealand.
  21. ^ "Major data breach sees student details compromised". ABC News. Australian Broadcasting Corporation. May 7, 2026.
  22. ^ "Information about a cybersecurity incident related to Canvas". Swedish University of Agricultural Sciences.
  23. ^ Scholtens, Indy (May 8, 2026). "Universiteiten en hogescholen blokkeren studie-app Canvas na hack". NOS (in Dutch). Nederlandse Omroep Stichting.
  24. ^ "NUS named in global data breach list". The Straits Times. May 8, 2026. ISSN 0585-3923. Retrieved May 9, 2026.
  25. ^ "Hackers ShinyHunters send ransom notes to 9,000 schools as part of cyberattack impacting millions". LADbible. May 8, 2026.
  26. ^ "Nationwide security breach involving Canvas". UCnet. University of California. May 7, 2026. Retrieved May 7, 2026.
  27. ^ "Cyberattack on Canvas disrupts finals for ASU students and thousands of others worldwide". ABC15 Arizona. May 8, 2026. Retrieved May 8, 2026.
  28. ^ Gallagher, Bryanna (May 7, 2026). "Massive data breach affects schools using Canvas nationwide; Penn reportedly impacted". 6abc Philadelphia. WPVI-TV. Retrieved May 7, 2026.
  29. ^ Dowding, Jon (May 7, 2026). "Schools, universities in NC monitoring for potential impacts from Canvas data breach". ABC11 Raleigh-Durham. WTVD-TV. Retrieved May 7, 2026.
  30. ^ "Instagram". www.instagram.com. Retrieved May 9, 2026.
  31. ^ "Students receive ransom messages after learning system cyberattack". ABC News. May 8, 2026. Retrieved May 8, 2026.
  32. ^ Thayaparan, Arrthy (May 8, 2026). "U of T, OCAD among Ontario universities impacted by Canvas cyber breach". CBC News. Retrieved May 8, 2025.
  33. ^ "Thousands of Dutch Students and Teachers Affected by ShinyHunters Hack". Dutch Times. May 7, 2026. Retrieved May 8, 2026.
  34. ^ "Universiteiten koppelen systemen los na hack, gevolgen voor onderwijs" [Universities disconnect systems after hack, consequences for education] (in Dutch). Telegraaf. May 8, 2026. Retrieved May 8, 2026.
  35. ^ "HK institutions affected by Canvas cyberattack". RTHK. May 8, 2026. Retrieved May 9, 2026.
  36. ^ Forman, Luka (May 8, 2026). "New Zealand students' details caught up in massive global university hack". RNZ. Radio New Zealand.
Retrieved from "https://en.wikipedia.org/w/index.php?title=2026_Canvas_security_incident&oldid=1353434864"