Overview
- Instructure, which runs the Canvas learning platform, said a threat actor gained access Thursday and the company briefly took Canvas offline, then reported Friday that service was back for most users as some schools kept access limited during security checks.
- Company officials said the intruder abused a weakness tied to Free‑for‑Teacher demo accounts, which remain disabled, and that exposed data from the earlier April 29 incident included names, email addresses, student ID numbers, and messages with no evidence of stolen passwords, Social Security numbers, birth dates, or financial data.
- Messages attributed to a group calling itself ShinyHunters appeared on some login pages, claimed roughly 6.65 terabytes of Canvas data from about 9,000 institutions, and set a May 12 deadline for negotiations, though those claims have not been independently verified.
- The outage hit during finals week and forced changes on many campuses, with schools such as Penn State, the University of Illinois, Rutgers, and others canceling or delaying exams and extending assignment deadlines as students lost access to course materials and grade books.
- Law enforcement was notified, with the FBI urging affected users to report to ic3.gov, and Instructure now faces multiple federal lawsuits as colleges re‑integrate systems and warn about likely phishing that could exploit exposed contact details and internal messages.