🔴 Breaking Update
Canvas LMS was hit by a major cyberattack during finals week 2026. The hacking group ShinyHunters claimed responsibility, posting ransom notes on Canvas pages at Harvard, Princeton, Columbia, Georgetown, Rutgers, Duke, UCLA, and thousands of other institutions. Canvas is now fully back online as of May 8, 2026. No passwords or financial information were compromised — but names, emails, and student ID numbers were exposed.
If you logged into Canvas this week and saw a strange message — or got locked out during a timed exam — here is exactly what happened and what you should do now.
What Happened — The Full Timeline
May 1, 2026 — Instructure, the parent company of Canvas, announced a cybersecurity incident had occurred. The company said the breach had been “contained” the next day, but names, email addresses, student ID numbers, and messages from some institutions had been exposed.
May 7, 2026 — ShinyHunters wrote that Instructure had tried to implement security patches rather than negotiate. This prompted the group to cause a major outage where their ransom note was displayed to every Canvas user.
A University of Washington student who tried to log into Canvas around noon Thursday was greeted by a message from ShinyHunters, which claimed to have “breached” the platform. Students at the University of Pennsylvania reported being logged out of Canvas accounts while studying for finals. Professors had to scramble to send class materials through other means.
May 8, 2026 — Instructure announced an “unauthorized actor” had exploited an issue related to the company’s Free-For-Teacher accounts. The company made the decision to temporarily shut down Free-For-Teacher accounts. Canvas was then fully restored and back online.
Which Universities Were Affected?
Students at major institutions including Harvard University, Princeton University, Columbia University, Georgetown University, and Rutgers University reported being locked out of their accounts at a critical point in the academic calendar.
Duke, UCLA, UT Austin, and University of Washington were also among the affected schools. Educational institutions in the United States, Canada, United Kingdom, New Zealand, Australia, Sweden, the Netherlands, and Singapore reported disruptions or potential exposure of user information.
ShinyHunters claimed to have stolen information from 275 million students and teachers, consisting of names, email addresses, and student ID numbers, as well as messages among users, according to Instructure.
Also Read: New York Regents Exam June 2026
Was Your Data Stolen? Here Is What Was — and Was Not — Exposed
Instructure informed universities that there is no indication that passwords, dates of birth, government identifiers, or financial information were involved in this incident.
What was exposed for some users:
- Full names
- Email addresses
- Student ID numbers
- Private messages between students and instructors
Your Canvas password, Social Security number, bank details, and date of birth were not part of this breach according to Instructure’s current investigation.
What Students Should Do Right Now
1 — Watch for phishing emails. Expect a wave of phishing emails claiming to be from “Canvas Support” or your “University IT Desk.” Never click on a link to reset your password directly from an email during a breach. Always go to your official university portal directly.
2 — Wait for official guidance from your school. The FBI confirmed it was aware of the platform disruption and advised concerned students and faculty to wait for official guidance from their school regarding the scope of the incident and the nature of any affected data.
3 — Check your university’s deadline extensions. Multiple universities and school districts reported that schools had already extended deadlines and changed finals schedules because of the hack. Log into your student portal or email for any updated instructions from your professors.
4 — Monitor your email accounts. Since email addresses were exposed, keep an eye on any associated accounts for unusual login attempts or suspicious activity in the coming weeks.
5 — Canvas is now safe to use. As of Friday evening May 8, Canvas is accessible. Instructure has engaged a third-party forensics firm for an investigation and notified law enforcement authorities. You can log in and access your coursework normally.
Also Read: How to Get Canva Pro Free for Students in 2026
What About My Finals?
If you were kicked out of a timed Canvas exam during the outage, contact your professor immediately if you have not already done so. Most universities have issued blanket deadline extensions and academic integrity accommodations for students affected during the outage window.
Check your university’s official communications — your registrar or dean of students office will have the most current information about academic accommodations related to the Canvas disruption.
Official Updates:
- Instructure status updates: status.instructure.com
- Check your university’s IT or registrar page for institution-specific guidance
Meet Deepkant, he has been writing content since 2020. Over the years he has worked across more than ten websites — mostly covering job updates, career guidance, and government schemes — which gave him a solid grip on how to break down complicated topics for everyday readers.
At NextExamNews, he writes guides, exam updates, and result-related articles covering major US exams. He tries to keep every article easy to read and straight to the point.
On the personal side, he is currently learning performance marketing and AI and finding ways to bring both into his content creation.