Canvas LMS Hit by Ransomware Attack Affecting Nearly 9,000 Schools

On May 1, 2026, Canvas, a widely used online platform that schools use to manage classes and tests, was attacked by hackers. The attack interrupted service during finals week at nearly 9,000 schools worldwide. A hacker group called ShinyHunters claimed responsibility and said they broke into the system and stole student records and messages.

When the attack happened, Canvas users saw a message from ShinyHunters appear on their screens around 4:00 PM EST. The message listed affected schools. Instructure, the company that runs Canvas, took the system offline to stop the attack and investigate what happened.

What Happened and How Long It Lasted

Instructure announced the attack on their status page on May 1. Canvas remained offline while their security team worked to understand the breach. Service was restored after several hours.

The timing was particularly difficult for schools. Students were preparing for final exams when the attack cut off access to their courses and grades. The University of Iowa's information technology director called it a "national-level cyber-security incident" because so many schools were affected at the same time.

What the Hackers Claim

ShinyHunters said they accessed nearly 9,000 schools and took billions of private messages and other student records. These claims have not been confirmed by Instructure yet. This suggests the hackers did more than just lock people out of Canvas—they may have also stolen data.

Canvas is the main platform used by thousands of universities, colleges, and public schools for teaching and grading. This makes it a valuable target for hackers who want to cause trouble and pressure schools into paying ransoms.

How Instructure Responded

Instructure reset some security keys used by apps that connect to Canvas. This step is standard practice after a hacker break-in—it prevents hackers from moving deeper into other systems. It did temporarily disrupt some of these connections, but it was necessary for security.

Instructure uses a status page to report Canvas problems, but they only post outages that last longer than 15 minutes. The May 1 attack was far longer, so they reported it fully.

The broader context here is that schools' heavy reliance on single online platforms creates a weak point. We have seen this pattern before during the COVID-19 pandemic when so many schools moved to online learning and became vulnerable to attacks on these systems. What is different now is the scale—the hackers managed to hit thousands of Canvas instances at once. This suggests either they found a serious flaw in Canvas software itself, or they entered through a supply chain connection to Canvas.

How the Attack Worked

The fact that hackers could put messages directly on Canvas screens for thousands of schools tells us they had deep access to Instructure's systems—the kind of access you would need to be an administrator. This is serious.

The good news is that Instructure restored service quickly. This may mean they had good backup copies of the system, or that they caught the hackers before they took over everything. The reset of security keys suggests that API tokens and integration pathways—which allow other apps to connect to Canvas—were at risk.

What This Means for Schools and the Bigger Picture

Schools increasingly rely on cloud-based software for teaching and grades. When one company like Instructure gets attacked, thousands of schools lose access all at once. This creates a chain reaction of problems across the school calendar.

Educational technology has become more appealing to criminals in recent years. Hackers know that schools need these systems back up quickly, especially during finals or at the start of a semester. This pressure makes schools more likely to pay ransoms fast.

ShinyHunters has claimed responsibility for other major data breaches before. This attack appears to have been planned to cause maximum disruption and steal as much data as possible.

Worth flagging is that the full extent of what data the hackers took remains unclear. Even though Canvas came back online, investigators are still looking into what student records and personal information may have been stolen. This could have privacy implications that go beyond just the service being down.

For schools and their technology teams, this incident underscores an important lesson: when you depend on a single company for something critical like a grading system, you are at the mercy of that company's security. Even companies with strong defenses can be targeted. Schools need backup plans for when cloud services go down—whether from attacks or other reasons.