Canvas Cyberattack Disrupts Final Exams at Major U.S. Universities
A cyberattack on the Canvas educational platform by the ShinyHunters gang forced universities across the U.S. to reschedule final exams after attackers defaced the site and exploited a vulnerability in "Free-For-Teacher" accounts.

Universities and K-12 school districts across the United States were forced to reschedule final exams this week after a cyberattack on the Canvas educational platform, managed by Instructure, resulted in widespread service outages and website defacement. Students attempting to access course materials reported seeing messages from the ShinyHunters cybercriminal gang, who claimed to have breached the platform in retaliation for Instructure's refusal to pay a ransom following an initial intrusion last week The Record.
The incident began on April 29, when attackers first gained unauthorized access to the platform. Instructure stated that the threat actors managed to remain within their systems until May 7, when they executed a defacement attack that replaced legitimate course pages with ransom demands. These messages urged educational institutions to contact the hackers directly to negotiate a ransom payment by May 12 The Record.
Instructure confirmed that the attackers exploited a vulnerability specifically related to their "Free-For-Teacher" accounts. To contain the breach and prevent further unauthorized access, the company took the entire Canvas platform offline for several hours. This disruption impacted a significant portion of the North American education sector, as Canvas supports learning at 41% of higher education institutions in the region. Major universities, including Princeton, Duke, the University of Pennsylvania, and the University of Texas, were among those forced to notify students of the outages and delay critical academic assessments The Record.
During the initial April 29 breach, the attackers reportedly exfiltrated 3.6 terabytes of data, including names, email addresses, student ID numbers, and internal messages from over 9,000 schools. Instructure clarified that while the Thursday defacement caused significant operational disruption, no additional data was stolen during that specific event. In response to the breach, Instructure has permanently disabled the compromised "Free-For-Teacher" account feature to restore platform security The Record.
Instructure has engaged external cybersecurity experts to investigate the incident and confirmed that, as of Friday, there is no evidence that the threat actors retain access to the platform. The company has notified the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) regarding the intrusion. While the company was removed from the ShinyHunters leak site on Thursday night, Instructure has declined to comment on whether any ransom negotiations took place The Record.
This incident highlights the systemic risk posed by centralized educational platforms, where a single point of failure can disrupt thousands of institutions simultaneously. Security experts note that groups like ShinyHunters target these platforms specifically because the scale of the breach provides significant leverage for extortion. As schools increasingly rely on cloud-based learning management systems, the security of these providers remains a critical concern for the academic sector The Record.