Canvas Cyberattack Disrupts Thousands of U.S. Schools and Universities Amid Finals Week

A widespread Canvas cyberattack threw classrooms across the United States into disarray on Thursday, knocking the popular learning platform offline at a particularly painful moment — right as students were preparing for final exams. The disruption highlighted just how heavily modern education leans on a single piece of software, and how quickly things can fall apart when that software fails.

The outage hit thousands of schools and universities, leaving students, professors, and administrators scrambling for workarounds.

What Caused the Outage?

The platform, run by the education-technology firm Instructure, was taken down following a breach claimed by a hacking group known as ShinyHunters. According to Luke Connolly, a threat analyst at the cybersecurity company Emsisoft, the group has publicly taken credit for infiltrating Instructure’s systems.

CBS News reached out to Instructure for comment. Late Thursday night, the company updated its public status page to confirm that Canvas was “now available for most users,” signaling that core services were beginning to come back online — though questions about the scope of the breach remain.

Major Universities Caught in the Crossfire

The list of impacted institutions reads like a who’s-who of American higher education. Among the schools that reported disruptions were:

• Penn State University
• University of Wisconsin-Madison
• Columbia University
• Union College, New Jersey
• UCLA and several other California universities
• Northwestern University
• University of Chicago
• University of Illinois Chicago and the University of Illinois

In a notice to its student body, Penn State explained that “no one has access” to Canvas and warned that a fix was unlikely “within the next 24 hours.” As a direct result, all exams scheduled at the university’s Pollock Testing Center for Thursday and Friday were called off.

Harvard’s student newspaper also reported that the platform was unreachable on its campus, suggesting the impact stretched well beyond the schools officially named.

K-12 Districts Step In to Reassure Families

The fallout wasn’t limited to colleges. Public school districts across the country also rushed to communicate with concerned parents. Officials in Spokane, Washington, for example, told families they weren’t “aware of any sensitive data contained in this breach,” attempting to ease worries while investigations continue.

Still, the incident underlines a growing reality: schools at every level — from elementary through graduate — depend on cloud-based platforms to manage day-to-day learning.

Why Canvas Matters So Much

Canvas isn’t just another app. It’s the digital backbone of countless classrooms, used to handle:

• Grades and gradebooks
• Course materials and notes
• Homework, quizzes, and assignment submissions
• Recorded lectures and video content
• Direct communication between teachers and students

According to Connolly, the hackers claimed that almost 9,000 schools worldwide were caught up in the breach, along with billions of private messages and other records. Screenshots he shared showed that ShinyHunters began threatening to leak the stolen data starting Sunday, with deadlines set for Thursday and May 12. The later date, he noted, suggests that ransom or extortion talks may still be underway behind the scenes.

Schools Have Become Top Targets for Hackers

Educational institutions have rapidly become some of the most attractive targets for cybercriminals. Years ago, sensitive student records sat inside locked filing cabinets. Today, they live in databases and cloud servers — a goldmine for hackers willing to dig.

Major attacks in recent years have hit Minneapolis Public Schools and the Los Angeles Unified School District, exposing the personal information of countless students and staff members. Schools, often working with limited cybersecurity budgets, struggle to keep up with the sophistication of modern criminal groups.

So far, Instructure has not addressed the attack on any of its social media channels, leaving students and educators to rely on third-party reporting and the company’s status page for updates.

A Familiar Pattern: Echoes of the PowerSchool Breach

Connolly pointed out that the Canvas incident bears strong resemblance to a previous breach involving PowerSchool, another major player in the education-technology space. In that earlier case, a college student from Massachusetts was eventually charged for his alleged role in the hack — a reminder that the people behind these attacks aren’t always part of distant, faceless syndicates.

He described ShinyHunters as a loosely organized group of teenagers and young adults based largely in the United States and the United Kingdom. Despite their informal structure, the group has been tied to several high-profile breaches, including one targeting Ticketmaster, the ticketing arm of Live Nation.

What’s Next for Schools and Students?

For now, the immediate concern is restoring full functionality and protecting any student data that may have been compromised. Universities are weighing whether to extend deadlines, reschedule exams, or shift coursework to alternative platforms while the situation stabilizes.

In the longer term, the Canvas cyberattack is likely to renew tough conversations within the education sector about:

• How schools store and protect student data
• The risk of relying on a single learning management system
• The need for stronger contracts with technology vendors that prioritize cybersecurity
• Better incident-response plans for both colleges and K-12 districts

As education becomes ever more digital, breaches like this one are unlikely to be the last. The Canvas outage is a stark reminder that when an entire learning ecosystem rests on one platform, even a single successful hack can ripple across millions of students in a matter of hours.

Until institutions and ed-tech companies invest seriously in resilience and security, finals weeks may not be the only thing that gets disrupted next time.