The online education platform Canvas went offline after a data breach on Thursday, temporarily leaving students and faculty at thousands of U.S. colleges — and K-12 schools — without access to course materials and communications during finals period.
"I'm sure somewhere in the country when the outage happened, there probably were people actually taking final exams on the platform when it crashed," says Damon Linker, a senior lecturer in political science at the University of Pennsylvania.
Thirty million users — including at half of the higher education institutions in North America — rely on Canvas to manage courses, submit assignments, view grades and facilitate communication, according to its parent company, Instructure.
But when Linker and many other users tried to do so on Thursday afternoon, they met a black screen and a warning message.
"ShinyHunters has breached Instructure (again)," it read. "Instead of contacting us to resolve it they ignored us and did some 'security patches.'"
ShinyHunters is the same entity that took credit for a massive Ticketmaster data breach in 2024. Like many such groups, it's a cluster of young people working remotely together, "kind of like a ransomware gang," says Rachel Tobac, the CEO of SocialProof Security, which trains people and companies to defend themselves against hackers.
ShinyHunters wrote on a threat intelligence website earlier this week that the initial breach on Saturday involved data — including private messages — from 275 million students, teachers and staff at nearly 9,000 schools worldwide. The group said Thursday that affected schools can prevent the release of their data by consulting with cyber advisory firms and negotiating settlements through the encrypted chat platform Tox.
"You have till the end of the day by 12 May 2026 before everything is leaked," the hackers wrote.
Instructure has confirmed a series of cybersecurity breaches this week and provided status updates on its website. It said the breach only appeared to involve identifying information like names, email addresses, student ID numbers and user messages — no passwords, birth dates, government identifiers or financial information.
Instructure confirmed on an FAQ page that it started an investigation after it first detected unauthorized activity in Canvas on April 29, and took Canvas offline on Thursday after that same unauthorized actor "made changes that appeared when some students and teachers were logged in." They said the actor exploited an issue with its Free-for-Teacher accounts, which it has temporarily shut down.
"This gives us the confidence to restore access to Canvas, which is now fully back online and available for use," it said in a statement to NPR. "We regret the inconvenience and concern this may have caused."
It's not clear whether Instructure paid a ransom or what the return of Canvas access could mean for the hackers' May 12 deadline.
Tobac says Canvas could be back online because of a successful negotiation, or because the hackers "didn't get super far in their attack." Either way, she says users should stay vigilant, especially for phishing messages — whether it's someone posing as Canvas prompting a password change, or pretending to be a professor sending course materials.
"I would operate under the assumption that there's going to be some knock-on effects here," she says.
Not everyone got back online immediately
Just before midnight on Thursday, Instructure posted online that "Canvas is now available for most users," though two separate services, Canvas Beta and Canvas Test, remained in maintenance mode.
Students and faculty at at least some schools were still unable to access Canvas on Friday — either because service had not yet been restored or because administrators warned them to stay away.
Penn State University, for example, said Friday morning that while the school's Canvas access had been partially restored, it was "not yet ready for use."
"Technical teams at Penn State are actively working to prepare the system for our community," it added. "As access is restored, Canvas integrations and related services will be brought back online in phases."
Several schools have taken similar approaches, either temporarily disabling Canvas access or outright asking users to steer clear. The University of California said across its schools, "Canvas access will not be restored until we are confident the system is secure."
And it's not just higher education: The Montgomery County Public School system in Maryland alerted families on Friday morning that even as service returned, it is "continuing to test and review systems before restoring access."
Tobac says this could mean that schools think the attackers might still be within their systems, potentially stealing information like passwords and messages.
"The attackers probably got some sensitive information and … [schools] don't want this information out online," she says.
Many schools are urging users to be on high alert for any unsolicited emails or messages that appear to come from Canvas, especially those requesting login credentials, as Georgetown University warned. The University of Amsterdam — which says it's one of 44 Dutch educational institutions affected — also recommends people change their passwords on any other sites where they use the same one.
Tobac also recommends using a password manager — to generate long, random passwords for each login — and turning on multi-factor authentication for all online accounts, not just Canvas. She says any student or professor who gets a suspicious call, text or email should "use another method of communication to verify what is authentic."
"Even if there was no breach yesterday, I would say these are the things that I recommend you do," she adds, urging people to "be politely paranoid."
The breach disrupts finals, highlights vulnerabilities
Several schools affected by the breach have already postponed or outright scrapped some final exams, with others warning students and professors that they might need to do so.
The University of Illinois is postponing all final exams and assignments scheduled through Sunday. Penn State canceled certain exams scheduled for Thursday night and Friday, saying it was working with faculty to "determine next steps for final grading" and urging students to check their emails (not Canvas) regularly in the meantime. And Baylor University delayed Friday exams and asked all faculty to send students "whatever study materials they have on their local computers to students as soon as possible."
The breach has underscored how much of academia relies on a single, centralized platform.
Linker, of UPenn, told NPR that he received an influx of panicked messages from students on Thursday afternoon when they suddenly couldn't access PowerPoints, readings and previous exams as they tried to study for Monday's final.
"The problem with using a platform like Canvas is that most [students] are not going to have the readings available printed out or on their laptops," he explains. "It all lives on the online platform, and if that platform goes down, they have no way to access them."
He told students on Thursday that he would upload the course materials to another platform (like Dropbox or Google Docs) if Canvas access wasn't restored by Friday morning. Fortunately, he says, it came back online shortly before 9 a.m. ET.
But Linker says he has concerns about relying fully on Canvas in the future.
"Given what this has exposed, the vulnerability involved and also the concern with the data breaches, I'm starting to rethink whether this is really a wise way to proceed," he says.
One example of that is grading. Linker says Canvas makes it so easy to calculate and weigh students' scores — on individual assessments and overall — that it's come to function as a digital grade book. Going forward, he says he may start keeping an analog record of students' grades just in case.
While Canvas does have competitors like Blackboard, Linker says he doesn't think any would be less vulnerable to a future breach. And Tobac agrees.
"The problem is not that this one website had this cyber event, right? Because nothing in this world is unhackable," she says. "The thing that we have to think about is disaster recovery: How do we continue doing business when there is a cyber event, and how do we do our very best to keep the bad actors out?"
Tobac says this week has shown that many institutions did not have a clear plan for how students and professors can be in touch and access course materials without Canvas. She said those plans should vary based on schools' different circumstances and schedules — which might explain why some are proceeding with finals as usual while others are scrapping exams altogether. But she'd like them to approach the immediate aftermath with one common goal.
"We have to treat people with dignity and respect," Tobac says. "And I hope that that is something that the institutions do, within their timelines and constraints."
Copyright 2026 NPR