A coordinated ransomware attack against Instructure, the Salt Lake City-based company behind the Canvas learning management system, has compromised data belonging to an estimated 275 million students, teachers, and staff across nearly 9,000 institutions worldwide, marking one of the most disruptive cyberattacks ever executed against the global education sector.
The breach, claimed by the criminal extortion group ShinyHunters, forced Canvas offline on Thursday, 7 May 2026, at one of the most operationally sensitive moments in the academic calendar: final examinations. The platform, which serves more than 30 million active users globally and counts institutions including Harvard, Columbia, Princeton, Georgetown, Penn State, MIT, Rutgers, and UCLA among its clients, went dark mid-session, stranding students mid-revision and forcing universities to cancel and postpone assessments at scale.
Instructure confirmed it first detected suspicious activity on 29 April 2026 and believed the breach had been contained the following day. However, on 7 May, more unauthorised activity tied to the same incident was discovered, with hackers changing pages that appeared when students and teachers logged in. The company took Canvas offline into maintenance mode to contain the activity and apply additional safeguards. By 11:17 p.m. EDT on Thursday, Canvas was restored for most users, and the company confirmed it was fully back online on the morning of Friday, 8 May.
The attack vector, identified as an exploit tied to Instructure’s Free-For-Teacher accounts, is the same vulnerability that had enabled the prior week’s breach, suggesting that the company’s initial remediation was insufficient. ShinyHunters, in its ransom note posted directly to Canvas homepages, publicly rebuked the company’s response: the group stated that rather than engaging to resolve the issue, Instructure had implemented security patches without negotiation, an action the group characterised as a provocation.
ShinyHunters claimed to have exfiltrated more than 3.65 terabytes of data, including approximately 275 million records tied to students, teachers and staff. The group issued a deadline of 12 May 2026 for Instructure and affected institutions to negotiate a settlement, warning that failure to engage would result in a full public data release.
Cybersecurity threat analyst Luke Connolly of Emsisoft described ShinyHunters as a loose affiliation of teenagers and young adults based primarily in the United States and the United Kingdom, with a documented history of high-profile attacks including a breach of Live Nation’s Ticketmaster subsidiary. The group’s selection of finals week as the moment to activate the breach was widely assessed as deliberate. One cybersecurity expert stated plainly that the group had picked a strategically optimal time of year, describing the timing as thought-out and planned.
The institutional fallout was immediate. The University of Texas at San Antonio announced it was rescheduling finals scheduled for Friday. Penn State cancelled all tests at its Pollock Testing Center for Thursday and Friday. Schools across California, Florida, Georgia, North Carolina, Virginia, Wisconsin, and more than a dozen other states reported disruptions. The North Carolina Department of Public Instruction removed Canvas’ access to its NCEdCloud sign-on portal entirely, stating it was a necessary step to protect state data.
Instructure confirmed it had notified the FBI, the US Cybersecurity and Infrastructure Security Agency, and international law enforcement partners.
The global dimension of this attack carries direct implications for Africa and for South Africa specifically. As institutions across the continent accelerate the adoption of cloud-based learning infrastructure, Canvas and comparable platforms have become foundational to university-level education delivery. South African universities, many of which operate hybrid and digital-first academic models following the structural shifts of the post-pandemic period, are increasingly dependent on centralised learning management systems. The ShinyHunters attack demonstrates that the risk exposure of this infrastructure is not theoretical. It is operational, immediate, and scalable.
The breach also raises a structural question for African institutions procuring EdTech at speed: vendor resilience must now be evaluated as rigorously as functionality. A platform breach of this scale, executed through a Free-For-Teacher account vulnerability that survived an initial security patch cycle, suggests that the due diligence applied to enterprise cybersecurity has not been systematically extended to education technology procurement. That gap, across any market, is now a documented liability.
The May 12 deadline set by ShinyHunters remains active. Whether Instructure enters negotiations, resists, or pursues enforcement action through the FBI and CISA will determine the second chapter of this event. What the first chapter has already established is that education infrastructure, once considered low-risk in the hierarchy of critical systems, is now a primary target for sophisticated criminal actors with the tools and timing to cause institutional paralysis at global scale.
