2026 Canvas security incident
Cybersecurity incident
From Wikipedia, the free encyclopedia
In early May 2026, Canvas LMS, a learning management system operated by private company Instructure, was affected by a data breach and outage.[1] Instructure disclosed that it was investigating a cybersecurity attack involving certain user data, including names, email addresses, student ID numbers, and messages among users.[2] The company said it had found no evidence that passwords, birth dates, government IDs, or financial information were involved in the hacking.[3]
Canvas LMS's logo | |
 Image of message that appeared on the Canvas webpage for users logging in on May 7, 2026 An editor has nominated the above file for discussion of its purpose and/or potential deletion. You are welcome to participate in the discussion and help reach a consensus. | |
| Date | May 1–12, 2026 |
|---|---|
| Location | International |
| Perpetrator | ShinyHunters |
| Outcome | Compromised data deleted |
The security breach began on May 1, when Instructure disclosed an initial cybersecurity incident where user records were stolen for ransom.[4] Despite Instructure's claim that the situation had been resolved, Canvas was hacked again on May 7; its login page was replaced with a ransomware message by ShinyHunters, the criminal hacking group which claimed responsibility. ShinyHunters threatened to release Canvas' sensitive data unless its ransom was paid by May 12.[5][6] As of May 8, however, Instructure reported on their status page no incidents related to the May 7–8 hack, and claimed that access to their website had been restored to most users.[7]
The hack is considered the largest educational security breach on record due to its unprecedented global scale, affecting 8,809 universities, educational ministries, and other institutions worldwide.[8] The breach had particularly significant implications in the United States, where Canvas is used by 41% of higher education institutions[9] as well as some K-12 schools.[10] The hacking group ShinyHunters claimed to have stolen 3.65 terabytes of data from approximately 275 million users, including private messages exchanged between students and teachers.[11]
The incident came to wider public attention on May 7 at approximately 1:20 p.m. PDT (UTC-7), when students began posting screenshots of the defaced Canvas log-in page on Reddit.[12] On May 11, Instructure issued an apology for their lack of transparency on their incident update page. In that statement, they claimed to have reached an agreement with "the unauthorized actor" and that the compromised data was destroyed. Although the terms of the agreement are not publicly known, unconfirmed rumors suggest that US$10 million was paid.[13][14] Instructure has also said that Canvas is fully back online and safe to use,[2][15] however this information conflicts with their status website which indicates ongoing access issues for some institutions as of May 12.[16]
On May 13, 2026, a proposed class action lawsuit was filed against Instructure in the United States District Court for the Southern District of California on behalf of a San Diego resident due to the release of personally identifiable information (as a result of the breach).[17][18][19]
Background
Canvas is a commercial learning management system offered by Utah-based company Instructure. The software assists with managing coursework, assignments, quizzes, exams, and grades, as well as facilitating communication between instructors and students.[20]
In 2026, Instructure provided Canvas to approximately 30 million active participants at over 8,000 educational institutions in the United States, United Kingdom, Canada, Australia, New Zealand and some European nations. The platform is the most widely adopted learning management system in North American higher education where 41% of institutions use the software.[20][21]
Breach and outage
On May 1, Instructure announced on their status page that a cybersecurity incident had occurred. On May 2, Instructure announced they had contained the issue, but names, email addresses, ID numbers, and messages had been stolen for ransom.[4] ShinyHunters posted a ransom note claiming responsibility for the attack on May 3. On May 6, Instructure stated that their Canvas system was back to normal operation and they had found no evidence that passwords, dates of birth, government identifiers, or financial information were involved.[3][22]
On May 7, ShinyHunters wrote that Instructure had tried to implement security patches rather than negotiate with the hackers. This prompted the group to cause an outage where their new ransom note was displayed to every user. At 8 pm Eastern time, Instructure replaced the ransom note message with an alert stating their software was down for maintenance.[4] The outage occurred during the end of the academic year for many institutions, including during final exam periods at some colleges and universities.[5]
ShinyHunters claimed that nearly 9,000 schools worldwide[23] were affected, though the full scope of the breach has not been independently verified as of May 9, 2026.[5][21] Canvas resumed operations several hours after investigating the unauthorised access, later confirming that the exploit was caused by an issue related to its Free-For-Teacher accounts.[2] Some institutions waited to verify the security of their systems before activating Canvas on the afternoon of May 8.[24] According to Instructure's incident update page, Canvas is fully back online and safe to use.[2]
On May 11, Instructure issued an apology for their lack of transparency on their incident update page. In that statement, they claimed to have reached an agreement with ShinyHunters and that the compromised data was destroyed. Instructure has also said that Canvas is fully back online and safe to use.[2] On May 12, according to the Instructure Status website, some users were still reporting issues with the system, including the inability to add enrollments to Catalog.[16]
Impact
Educational institutions in the United States, the United Kingdom,[25] Canada,[26] New Zealand,[27] Australia,[28][29] Sweden,[30] the Netherlands,[31] Hong Kong,[32] and Singapore[33] reported disruption, outage, and potential exposure of user information. Outages were caused by Canvas being taken offline by Instructure and then by institutions disconnecting from Canvas. The length of these outages varied by educational institution, ranging from one day to several days, with access to Canvas in some institutions still not restored after four days.[29]
The initial impact differed by educational institution. For example, the University of California system said its Canvas login pages had displayed a suspicious message from the threat actor and they instructed UC locations to temporarily block or redirect Canvas access "out of an abundance of caution".[34] ABC15 reported that finals were disrupted at Arizona State University, with end-of-school activities and celebrations temporarily halted and ASU themselves saying, "ASU is aware of an incident that has affected Canvas, the online platform students and faculty use to access courses and submit work, that has resulted today in users being redirected and rendering the platform inaccessible at this time. This incident is unrelated to any ASU-managed system."[35] CBS Sacramento reported that Sacramento State students attempting to log into Canvas were redirected to a page displaying a message attributed to ShinyHunters, which claimed that student and faculty data had been obtained, and threatened to leak it unless a ransom was paid.[6] ABC-owned local stations also reported impacts or monitoring by institutions including the University of Pennsylvania, Wake County Public Schools, and Duke University.[36][37]
In Australia, ABC News reported that universities, vocational providers, and some state schools were affected, and that the federal government's National Office of Cyber Security was coordinating a response.[3] Several universities, including the University of Melbourne, University of Technology Sydney, Royal Melbourne Institute of Technology, Griffith University, Adelaide University,[38] University of Canberra,[citation needed] and the Queensland University of Technology are offering extensions on assignments to affected students. University of Technology Sydney, Royal Melbourne Institute of Technology, Adelaide University, and the Queensland Department of Education have temporarily disabled access to Canvas systems as a preventative measure until the situation is resolved and are warning staff and students of potential phishing or scam emails.[39] Queensland Minister of Education John-Paul Langbroek said the attack could have impacted the data of 200 million people.[3] Queensland Teachers' Union called for investigation for what caused the breach and how similar attacks could be thwarted. Both Instructure and several Australian officials commenced investigations.
In Canada, at least eight universities and colleges have been affected and some schools have stopped access to Canvas.[26]
In the Netherlands, 44 educational institutions have been affected.[40] Several universities disconnected Canvas from their internal systems.[41]
In Hong Kong, five institutions, including three universities, were affected.[32] At the Hong Kong Polytechnic University, 42,000 students and staff were affected by the breach.[42]
In New Zealand, the University of Auckland, Auckland University of Technology, and Victoria University of Wellington were affected.[27]
Fallout
The House Homeland Security Committee announced an official investigation and invited Instructure CEO Steve Daly to submit information.[43][44]
Migrations away from Canvas
The University of British Columbia started moving staff and courses to Canvas's open source competitor Moodle as a tool for teaching, as well as the closed source competitor SharePoint for the Canvas Materials.[45]