On May 7, 2026, Canvas, a popular cloud-based education platform used by over 8,000 K-12 schools and higher education institutions across the United States, was shut down by a cyberattack. Universities, colleges and school districts across the country report being affected. The attack was perpetrated by a criminal hacking group known as ShinyHunters, who gained unauthorized access to the Canvas platform and stole a significant amount of user data before attempting to extort Instructure, Canvas’s parent company and the affected schools.
This recent hack follows a previous cybersecurity incident against Instructure that took place on May 1. Although Instructure claimed that the breach had been “contained” as of May 2, personally identifying user data, including names, email addresses, student ID numbers and Canvas messages, appear to have been exposed. On May 3, ShinyHunters shared a ransom note, claiming that it breached 275 million individuals’ data across nearly 9,000 schools, and had access to “several billions of private messages.” Instructure was told they had until May 6 to reach out to the hackers, and a deadline of May 12 was given to “negotiate a settlement.” Many notable institutions also report that a ransom note was posted on the homepage of their Canvas sites.
As of May 8, 2026, Canvas is back online and normal operations are restored, though due to the timing of the breach, the hack has already impacted exam schedules and assignment deadlines at many schools and universities. After investigation, Instructure reports that the hack stemmed from the exploitation of a weakness tied to Canvas’s Free-For-Teacher accounts. The Free-For-Teacher accounts have been temporarily shut down in the wake of the attack. Institutions should be aware that they may need to contact their cyber insurance carriers and may have other legal notice obligations. We will know more as more information is revealed from Canvas.
Our team of attorneys at Bond, Schoeneck & King has extensive experience in both higher education, school law and cybersecurity & data privacy. If you are an institution that uses Canvas or are otherwise affected by this breach and have any questions about this update, please contact Amber Lawyer, Jessica Copeland, Shannon Knapp or any Bond attorney with whom you work regularly.
Thank you to associate Courtney Ryan for assistance in drafting this memorandum.
On May 7, 2026, Canvas, a popular cloud-based education platform used by over 8,000 K-12 schools and higher education institutions across the United States, was shut down by a cyberattack. Universities, colleges and school districts across the country report being affected. The attack was perpetrated by a criminal hacking group known as ShinyHunters, who gained unauthorized access to the Canvas platform and stole a significant amount of user data before attempting to extort Instructure, Canvas’s parent company and the affected schools.
This recent hack follows a previous cybersecurity incident against Instructure that took place on May 1. Although Instructure claimed that the breach had been “contained” as of May 2, personally identifying user data, including names, email addresses, student ID numbers and Canvas messages, appear to have been exposed. On May 3, ShinyHunters shared a ransom note, claiming that it breached 275 million individuals’ data across nearly 9,000 schools, and had access to “several billions of private messages.” Instructure was told they had until May 6 to reach out to the hackers, and a deadline of May 12 was given to “negotiate a settlement.” Many notable institutions also report that a ransom note was posted on the homepage of their Canvas sites.
As of May 8, 2026, Canvas is back online and normal operations are restored, though due to the timing of the breach, the hack has already impacted exam schedules and assignment deadlines at many schools and universities. After investigation, Instructure reports that the hack stemmed from the exploitation of a weakness tied to Canvas’s Free-For-Teacher accounts. The Free-For-Teacher accounts have been temporarily shut down in the wake of the attack. Institutions should be aware that they may need to contact their cyber insurance carriers and may have other legal notice obligations. We will know more as more information is revealed from Canvas.
Our team of attorneys at Bond, Schoeneck & King has extensive experience in both higher education, school law and cybersecurity & data privacy. If you are an institution that uses Canvas or are otherwise affected by this breach and have any questions about this update, please contact Amber Lawyer, Jessica Copeland, Shannon Knapp or any Bond attorney with whom you work regularly.
Thank you to associate Courtney Ryan for assistance in drafting this memorandum.
