The widely used Canvas learning management system experienced a significant security breach on May 7, as reported by Reuters. Multiple US college newspapers confirmed the hacking incident, which disrupted access to coursework, grades, and exam materials during the critical finals week. Students and faculty across thousands of institutions were unable to log in, causing widespread chaos.
Details of the 2026 Canvas Security Incident
This ongoing cybersecurity breach, now referred to as the 2026 Canvas security incident, affects Canvas LMS, a platform operated by Instructure. In early May, Instructure disclosed that it was investigating a cybersecurity incident involving certain user data, including names, email addresses, student ID numbers, and messages among users. The company stated that it found no evidence that passwords, dates of birth, government identifiers, or financial information were compromised.
ShinyHunters Claims Responsibility
The hacker group ShinyHunters claimed responsibility for the attack, posting ransom notes on Canvas login pages. ShinyHunters, which reportedly formed in 2019, operates on a "pay or leak" framework to extort companies and institutions. On May 7, Canvas, Canvas Beta, and Canvas Test were placed into maintenance mode while Instructure investigated. The ransom message read in part: "ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some 'security patches.'" The group warned universities to negotiate by May 12 or risk having stolen data leaked. Reports suggest that hackers may have accessed records from more than 9,000 schools, potentially exposing names, email addresses, student IDs, and internal messages.
Impact on Universities
Several prominent institutions reported outages:
- Harvard Crimson reported that students were locked out of Canvas.
- Daily Pennsylvanian confirmed ransom demands appeared on Penn’s Canvas portal.
- Duke Chronicle reported widespread disruption across Duke University.
- Other affected schools include UCLA, University of Nebraska, and the University of Missouri system, highlighting the scale of the breach.
Company Response
Canvas parent company Instructure placed the platform into maintenance mode while investigating. The company reiterated that there is no evidence that passwords, financial records, or government identifiers were compromised, but it has not confirmed the full extent of the breach. Universities have advised students not to engage with hacker messages or click links displayed on login pages.
