“I’m locked out of my exam”: Canvas cyberattack sparks finals week panic for thousands of students
ShinyHunters’ breach of Canvas education systems triggered a finals week meltdown Thursday – locking tens of thousands of students out of the global learning platform at schools and universities across North America.
Update May 8th: ShinyHunters posted a new “press statement” on its leak site on Friday, claiming it is receiving inquiries “every hour from all around the world,” but said it is “not commenting” further on the global incident.
Canvas says it has restored services, although users are still reporting the service is down, forcing some schools to cancel exams altogether, including one Pacific Northwest university, which canceled all finals on Friday.
-
ShinyHunters’ Canvas breach claim is escalating into a mass extortion threat targeting more than 9,000 schools ahead of a May 12th deadline.
-
Students were left scrambling to access exams, grades, and coursework during finals week, with many users still reporting issues accessing Canvas on Friday.
-
Students at Ivy League schools, such as Harvard and Yale, as well as universities like UCLA, and even Oxford, are being instructed to change passwords and stay vigilant against targeted phishing attacks.
Canvas by Instructure, the education platform used by millions of students worldwide for exams, coursework, grades, and assignments, was temporarily taken offline for maintenance on Thursday afternoon – the fallout of this week's ransomware attack claimed by the notorious ShinyHunters extortion gang.
By Thursday evening, the platform was reported to be back up and running, after being down for most of the day, although many users are still reporting Canvas offline as of Friday afternoon.
At 9:17 p.m. Mountain Time, Instructure posted a status update on its website that “Canvas was available for most users.” However, it said Canvas Beta and Canvas Test remained in maintenance.
ShinyHunters threaten to leak student data, extort schools
Still, the update does little for the more than 9,000 schools caught up in the attack.
The ransomware group, which claims to have stolen more than 3.65TB of data from Instructure – including more than 275 million personal messages of students and faculty members – has been ramping up its threats since it posted the educational platform on its dark leak site on Monday.
In a new post Thursday – which has since disappeared from the leak site – ShinyHunters is now threatening the schools linked to the attack, warning it will publish the stolen data unless the individual schools themselves are willing to make contact by May 12th.
“ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some "security patches," the group wrote.
Next, the cybercriminals sent a warning to the thousands of impacted schools, which had been revealed in a list posted on the group’s site Tuesday.
“If any of the schools are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement. You have till the end of the day by May 12th 2026 before everything is leaked,” ShinyHunters warned.
ShinyHunters defaces Canvas webpages
Meanwhile, students at multiple universities on Thursday reported seeing the ShinyHunters extortion warning displayed directly on Canvas login pages before the platform was taken offline "for maintenance."
The University of Pennsylvania was among the unlucky schools whose Canvas platform was defaced by ShinyHunters. According to a report by The Daily Pennsylvanian, the hackers urged impacted schools to “negotiate a settlement,” posting the warning in full.
This apparent student took a screenshot of his computer's browser and posted it on X, commenting, "Lol ShinyHunters has taken control of my school's canvas infrastructure (and presumably many others) in the middle of finals week."
At around 4:20 p.m., the ShinyHunters message was replaced by a message from Canvas that stated the platform was undergoing “scheduled maintenance,” the newspaper said.
Then, in another update on Friday, ShinyHunters posted a comment on its leak site, apparently unable to keep up with the large number of press requests flooding its inbox since the outage began to personally impact students across campuses.
"Due to the significant amount of press inquiries we are receiving every hour from all around the world, we are making a public statement, the group wrote ironically, in a statement about not making a statement.
"We are not commenting and have no further comment to make regarding this global incident," it said.
Finals week chaos spreads across campuses
Canvas serves as the central hub for a plethora of universities and school systems – hosting exams, assignment submissions, lecture notes, grades, instructor communications, and coursework
–
and the timing couldn’t be worse.
While news about the outage spread across message boards, local news outlets, and student newspapers, most schools are winding down the spring semester, with tens of thousands of students preparing to take their final exams.
All eight Ivy League schools, including Harvard, Princeton, and Yale, as well as Duke, UCLA, the University of Nebraska, several Florida K-12 school districts, and the University of Central Florida, were just a handful of schools reportedly impacted by the disruption.
As the Canvas systems went down Thursday afternoon, social media rapidly filled with students panicking over inaccessible exams, missing coursework, and fears that assignments could not be submitted in time.
Earlier in the day, the company said it was investigating an issue involving Student ePortfolios logins, although it said the problem was “not affecting customers.”
Some schools were forced to cancel exams altogether, including Boise State University in Idaho, which announced all finals were canceled on Friday. The university told students exams would not be rescheduled, and that the cancellation would not negatively impact grades.
“I’m locked out of my exam,” a student commented on X as reports of outages and login failures spread across campuses.
“Canvas been down for 6 hours and it’s freaking me out. like is the FBI on this?” another student posted.
Later, another student reported that the Canvas platform was “finally back up," also noting, "I still cant take my exam, the honlock access code is no longer working, might be cooked.”
Downdetector complaints also spiked, with users across North America reporting login failures and connectivity issues tied to Canvas services. Many students continued to report that the system was still down late Friday evening – hours after Instructure declared systems were restored.
"The irony that I need to submit my Cybersecurity final," a user named "ShiddyHunters"
wrote on the website monitoring site –
alongside 2,870 other comments, as of Friday.
.
Some universities issued warnings to students about intermittent outages, some directed students to change their passwords immediately, while others appeared to regain limited access by Thursday evening.
Canadian schools, including the University of British Columbia and Simon Fraser University, alerted their students and staff about the exposure and the possibility of targeted phishing attacks tied to the incident, CBC reported.
“Until further notice, students should not attempt to access or use Canvas,” the Central Louisiana Technical Community College (CLTCC) warned users across social media pages, urging students and faculty to “not click any suspicious links or popups” related to the platform or the hack.
Schools pressured with familiar ransomware playbook
What began as a breach claim now appears to be evolving into a mass extortion campaign targeting schools individually.
The new ShinyHunters post on Thursday began raising fears that the schools themselves – not just Instructure – may now face direct pressure from the threat actors as negotiations escalate.
According to Instructure’s initial findings, the exposed information included full names, email addresses, student identification numbers, course enrollment information, and internal communications.
The learning management systems developer says there’s no evidence that passwords, dates of birth, government identifiers, or financial information were exposed.
“If that changes, we will notify any impacted institutions,” Instructure said in a statement.
Familiar ransomware playbook
It's not the first time a cloud-based educational technology provider has been targeted by ransomware.
In December 2024, PowerSchool – a K-12 software provider serving over 60 million students at 15,000 schools in North America – found itself on the losing end of a ransom negotiation gone bad, which also negatively impacted the schools using the technology.
What’s more, about four months after publicly acknowledging the breach, PowerSchool officials admitted to paying the ransom demand, actually believing the hackers would delete the data as promised to the company.
Instead, after collecting the ransom, the unnamed ransomware group began extorting the schools individually, disrupting the PowerSchool platform and threatening to leak the student data it had never deleted.
Turns out, a 19-year-old college student from Massachusetts – now serving four years in federal prison – was responsible for the PowerSchool hack.
In addition to prison time, the convicted student was ordered to pay over $14 million in restitution.
Check if your data has been leaked
Unlock more exclusive Cybernews content on YouTube.
