Canvas went offline during a critical finals stretch after Instructure detected unauthorized activity, triggering a temporary maintenance shutdown while investigators and outside forensics worked the case. The company says the attacker exploited an issue tied to Free-For-Teacher accounts, prompting a tougher response and the temporary suspension of those free accounts. That interruption left students and teachers scrambling for assignments, grades and exam details, and raised concerns about exposed personal data and follow-up scams.
For many schools Canvas is the hub for deadlines, grades and professor messages, so an outage removes a key lifeline at the worst possible moment. Students rely on it for exam instructions and submissions, and instructors use it to manage grading and class communication. When the platform went dark, confusion and missed deadlines spread quickly across campuses.
Instructure says it first detected unauthorized activity on April 29, revoked the intruder’s access and engaged outside forensic teams to investigate. Then on May 7 the company reported additional activity linked to the same incident, including changes to pages that appeared for some logged-in users. To contain the issue and add safeguards, Instructure put Canvas into maintenance mode while it dug deeper.
“Instructure discovered the unauthorized actor involved in our ongoing security incident made changes to the pages that appeared when some students and teachers were logged in. Out of an abundance of caution, we immediately took Canvas offline to contain access and further investigate. We have confirmed that the unauthorized actor exploited an issue related to our Free-For-Teacher accounts. As a result, we have made the difficult decision to temporarily shut down our Free-For-Teacher accounts. This gives us the confidence to restore access to Canvas, which is now fully back online and available for use. We regret the inconvenience and concern this may have caused.”
That Free-For-Teacher detail explains how the company says the attacker got in and why the response grew more aggressive after the May 7 activity. Instructure reports Canvas is back online for standard accounts, but Free-For-Teacher access remains paused while fixes continue. The investigation is ongoing, with the company revoking privileged credentials and adding monitoring and protections.
A hacking group called ShinyHunters claimed responsibility and reportedly threatened to leak data unless contacted by affected schools. The group bragged about holding data tied to nearly 9,000 schools and roughly 275 million people, though those figures remain the hackers’ claims and are not fully verified by Instructure. Cybercriminals often use large numbers to ratchet up fear and pressure organizations into paying or reacting hastily.
Based on Instructure’s findings so far, the April 29 incident appears to have exposed names, email addresses, student ID numbers and messages exchanged within Canvas at certain organizations. The company says it has not found evidence that passwords, dates of birth, government identifiers or financial information were taken in that event. Even without those more sensitive items, the exposed details can still be useful to scammers crafting convincing messages.
Expect phishing attempts that mimic school communications, especially right after a breach. Examples include emails that claim a final exam file failed to upload, messages that demand Canvas verification, or fake IT alerts asking for login codes. The trick is urgency; do not click links in surprise messages and always reach your school through official channels.
If your school instructs a password reset, follow its guidance without delay and pick a unique, strong password you don’t reuse elsewhere. A password manager can generate and store strong credentials for each account so you don’t have to remember them. Those simple steps cut the chance a stolen login gets reused across multiple systems.
Turn on multifactor authentication when your school offers it, and prefer authenticator apps or passkeys over text messages when possible. Any MFA is better than none because it adds a second barrier even if a password is compromised. Remember that legitimate IT staff will never ask for your password or one-time login codes; treat such requests as red flags and contact your institution’s help desk directly.
Keep antivirus and device software updated to reduce the risk if a phishing email slips through, and be cautious about opening attachments or clicking unfamiliar links. Consider identity protection or data removal services if your school confirms your information was involved, since those tools can monitor for suspicious use. Reducing the traces of your personal data online makes it harder for scammers to build convincing social engineering attacks.
Parents should explain the basics to younger students: don’t click unexpected links, never share verification codes, and check with a trusted adult before responding to alarming messages. Schools should notify impacted communities directly and warn students and staff about follow-up scams that try to piggyback on the original incident. Until the investigation is fully complete, treat urgent-sounding messages with skepticism and verify everything through official school contacts.
