When School Platforms Become Cyber Targets

The Canvas/Instructure Cyber Incident

May 12, 2026

The Situation

For a lot of students, Canvas is not just another app.

It is where assignments live. It is where grades appear. It is where students message professors, download readings, check deadlines, upload papers, and refresh the page one too many times after submitting something important.

I know that feeling.

When I was earning my Master of Public Health through George Washington University, Canvas was part of my academic routine. I used it to submit assignments, message classmates and instructors, access course documents, and keep track of deadlines that always seemed closer than I wanted them to be. During regular weeks, that was stressful enough.

During thesis work, it felt different.

When you are submitting your final thesis, preparing for a presentation, waiting for feedback, or trying to make sure every document is uploaded correctly, the learning platform becomes more than a convenience. It becomes the doorway to finishing the program.

So when I read about the ongoing Canvas/Instructure cyber incident, it felt a bit personal. If this had happened during finals week, or during the final week of my thesis submission and presentation, I probably would’ve panicked.

And honestly, I’d be shocked if any student didn’t.

We Trust These Systems Until They Fail

There is an inherent trust built into digital learning platforms.

Students trust that the assignment they uploaded will stay uploaded. They trust that messages to professors will go through. They trust that readings, lecture notes, grading rubrics, and feedback will be available when they need them. Students trust that the tools schools choose are reliable, secure, and professionally managed. Most of the time, we don’t think about that trust because the system works.

Then something breaks.

When it does, the first place students usually point is the school. I know that because I did.

I was in the middle of my MPH program when George Washington University transitioned from the 2U learning management system to Canvas. Like any major technology transition, there were some kinks to work out. At the time, my thinking was simple: the university made the decision to switch platforms, so the university was responsible for the problems that came with it.

That reaction made sense from a student’s perspective. I was paying tuition. I had deadlines. I had work to complete. I didn’t care much about procurement, vendor agreements, integrations, migration timelines, or back-end technical issues. I cared about whether I could access what I needed and submit my assignments on time.

Now that I’m no longer a student, I can step back and see the situation with a bit less bias.

Schools and universities do have responsibility for the systems they choose. They are accountable to students for communication, planning, continuity, and support. But they don’t control everything. In a highly connected education technology environment, part of the risk sits with the vendor. In this case, that means Canvas/Instructure.

I think that is important to note, not because it lets schools off the hook, but because it helps students understand where the real vulnerabilities are.

The Canvas Incident Is Not Just a Technology Story

According to Instructure’s latest public incident update, Canvas is fully back online and available for use. Instructure says the incident involved unauthorized access to part of its environment, with affected data fields including usernames, email addresses, course names, enrollment information, and messages. The company says core learning data, including course content, submissions, and credentials, was not compromised. It also says it has not found evidence that data was taken during the May 7 activity, though the investigation is still ongoing.

This means, as far as I understand, that it does not appear, based on Instructure’s current public statements, to be the kind of breach where passwords, thesis files, submitted assignments, or course content were taken.

That being the case, usernames, emails, course names, enrollment information, and internal messages still have value. They can help someone make a fake email look more real. They can help a scammer impersonate a professor, a school office, a Canvas support message, or a university help desk.

A generic fake email saying, “Reset your Canvas password,” is one thing.

A fake email that shows up during an actual Canvas incident, when students are already worried about access, grades, assignments, and exams, is different. The timing gives the scam a little borrowed credibility.

That’s how a vendor incident can turn into a student problem very quickly.

Instructure has also said the issue was connected to its Free-For-Teacher accounts. The company temporarily shut those accounts down, revoked privileged credentials and access tokens tied to affected systems, rotated internal keys, restricted token creation pathways, added monitoring, and brought in CrowdStrike to support its forensic review. Instructure also says it notified law enforcement, including the FBI, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and international law enforcement partners.

As it stands, Instructure is still validating findings, working through a more detailed data review, and expects some of that work to take weeks. So, for students, the honest answer right now is: Canvas is back online, the most sensitive categories of data do not appear to be involved based on current public information, but the full picture is still being verified.

Not the ideal scenario, but far from the worst.

The Outage Hit at a Bad Time

The timing is part of why this incident landed so hard.

Canvas went into maintenance mode during finals for many schools and universities. The Associated Press reported that the outage created chaos as students tried to study access course materials, check grades, and submit work. Some schools had to push back exams. Faculty had to find workarounds. Students did what students do in 2026 when something breaks: they went online to ask if everyone else was also suffering.

As a recent student, I get it. It’s easy for experts removed from the consequences to talk about “platform disruption” in a way that makes it sound sterile and technical.

Unauthorized activity. Exposed data. Threat actor. Vendor response. Containment. All accurate. Also, a little cold.

For students, it looks different. It’s the final paper you can’t access. The exam material you were trying to review. The professor message you’re waiting on. The group project file that lives inside a course folder. The thesis draft you need to confirm was received.

And yes, there are usually workarounds. Email the professor. Save local copies. Check the syllabus. Contact support. All things students should be doing proactively.

But in the moment, when the platform is down and the deadline is close, “just email someone” doesn’t feel especially calming. Especially when everyone else is also emailing someone.

There’s a reason students get anxious when these systems fail. They’re expected to use the official tools, meet the official deadlines, and follow the official process. Then, when the official tool breaks, the student is left wondering whether they’ll still be held responsible for the outcome.

That’s an uncomfortable place to be., And I’d like to believe that schools are trying to understand that emotional, human, side better.

If a learning management system goes down during finals, students are not simply experiencing an inconvenience. They may be worried about grades, graduation timelines, scholarships, financial aid requirements, job applications, internships, or professional next steps.

That deserves clear and consistent communication.

The Claims Are Big. The Verified Details Are Narrower.

One thing that makes this incident hard to talk about is the gap between what attackers claim and what has been confirmed.

ShinyHunters claimed that nearly 9,000 schools were affected and threatened to leak data unless contacted by May 12. Several news outlets reported that some Canvas login pages were defaced with an extortion message, and BleepingComputer reported that approximately 330 educational institutions had login portals replaced with that message for a short period.

Those claims are serious, and they’re also attacker claims.

That doesn’t mean you can ignore them. It means they should be treated carefully. Criminal groups have incentives to exaggerate. They also sometimes have real stolen data. Both things can be true, which is deeply inconvenient for anyone trying to write clearly about this without sounding like either an alarmist or a corporate spokesperson.

So I’d look at the confirmed information and the claims side-by-side.

What Instructure has publicly said: certain user-related data fields were involved, Canvas is back online, Free-For-Teacher accounts were tied to the issue, core learning data was not compromised, and the investigation is ongoing.

What attackers have claimed: a much larger breach affecting thousands of institutions and huge amounts of data.

Students don’t need to come to a conclusion all on their own. They need plain guidance from their school or university.

Education Has Become a Bigger Cyber Target

I wanted to be careful with this claim, because “schools are being targeted more” is the kind of sentence that gets repeated so often it starts to feel like wallpaper.

But the concern is real.

K–12 Dive reported that ransomware attacks against schools, colleges, and universities rose 23% year over year in the first half of 2025, based on Comparitech data. GovTech later reported that ransomware attack counts against schools and universities were relatively steady across 2025, but the number of exposed records increased sharply, driven in part by higher education breaches and third-party software vulnerabilities.

Third-party software. This is where things become hazy.

Because even if a school district or university is doing a decent job internally, it still depends on vendors. Learning management systems. Student information systems. Payment platforms. Testing tools. Email systems. Messaging apps. Transportation apps. Attendance systems.

The modern school environment runs on a lot of invisible infrastructure.

Students usually only notice that infrastructure when it fails.

And when a widely used platform has a problem, the impact can spread quickly. Not because every school made the same mistake, but because many schools depend on the same digital infrastructure which is why this feels bigger than Canvas.

Canvas is the example in front of us right now. But the bigger issue, I think, is dependency.

We’ve built education around digital systems, and in many ways, that’s been helpful. Students can access materials from home. Professors can share updates quickly. Students can track grades. Assignments can be submitted without printing 47 pages and praying the library printer has toner.

But every convenience creates a new point of failure and I don’t think students have fully been brought into that conversation.

What Students Should Do

I don’t think students need to become cybersecurity experts. Most people have enough going on.

But I do think students need a few basic habits for moments like this.

The first one is simple: don’t click the panic link.

If you get an unexpected message saying your Canvas account has been locked, your coursework has been lost, your messages were exposed, or your student record needs to be verified, slow down. Go directly to the school’s official website or Canvas login page. Don’t use the link in the message.

That sounds obvious until you’re stressed, tired, behind on work, and the email looks official.

The second habit is to watch for messages that use urgency as the hook.

Things like:

“Restore your Canvas access immediately.”
“Verify your student ID to prevent account suspension.”
“Click here to recover missing assignments.”
“Open this attachment to see if your information was exposed.”
“Your account will be deleted unless you act now.”

That last one always has a certain villain energy to it, but people still click. Not because they’re careless. Because the message arrives at the exact moment they’re worried it might be true.

Third, students should change any reused passwords.

Instructure says credentials were not compromised. That’s good. But password reuse is still a problem. If a student used the same password for Canvas, personal email, social media, banking, or another school tool, that password should be changed. I’d like to believe students at this point understand why reusing passwords is bad in general.

Fourth, turn on multifactor authentication where it’s available.

Yes, it’s annoying sometimes. Yes, it adds another step. Yes, sometimes your phone is across the room and you briefly consider whether account security is really worth getting off the couch. Then, I would hope you consider the consequences of having your identity stolen.

Fifth, students should keep backup copies of important academic work.

I don’t mean sensitive information scattered across random devices and personal accounts. I mean reasonable, secure copies of major assignments, papers, presentations, thesis drafts, project files, and important instructions.

The goal is not to create chaos. The goal is to avoid depending on one platform as the only place where critical work exists.

As someone who has submitted a thesis, I believe very strongly in backups.

Multiple backups.

Backups with names that make sense.

Not “Final_Final_CurrentFinal_Draft_v7_RandomDate.docx,” although I admit it happens sometimes when you’re working in a group and have multiple versions with feedback from your professor and classmates.

What Schools Should Do Better

This is where I want to be fair.

During a vendor incident, schools may not have all the answers right away. They may be waiting on the company. They may be trying to verify whether their institution was affected. They may be coordinating with legal counsel, IT staff, communications teams, and leadership.

But from the student’s perspective, silence feels awful.

Instructure’s CEO acknowledged in the company’s latest update that communication was not consistent enough during the incident and said the company had “got the balance wrong” by focusing on fact-finding while users needed updates.

I think that same lesson applies to schools and universities.

A vague message that says, “We are aware of an issue,” may be technically accurate, but it doesn’t answer the questions people actually have.

Was our school affected?
What information may have been involved?
What information does not appear to have been involved?
Do students need to change passwords?
Are deadlines being adjusted?
Should students keep using Canvas?
Where will the next update come from?
What should students avoid doing?

And, those are reasonable questions.

I think schools and universities need to treat communication as part of continuity. Not an afterthought. Not just a statement after everything is confirmed. A core response function because trust is fragile in these moments.

Students already feel like they’re responsible for meeting every deadline and following every process. If the system fails and communication is unclear, they’re left carrying stress that belongs partly to the institution and partly to the vendor.

That’s not fair to them.

What This Incident Shows

Canvas and platforms like it make a lot of modern education possible. While I have my own opinions, served its purpose. Most of the time, it worked. And when these systems work, they make school more organized, more accessible, and more flexible.

But I do think we need to be more honest about what happens when they fail.

A learning management system is not just a convenience anymore. It’s part of the academic infrastructure. For some students, especially online students, working adults, parents, commuters, and graduate students, it may be the primary connection to the institution. It was for me.

That means cyber incidents involving these platforms are not only technology problems.

They are continuity problems.

They are trust problems.

They are student support problems.

And for everyone, they are another reminder that digital preparedness is now part of school preparedness.

That does not mean panicking every time a platform goes down. It means knowing where official updates come from. It means not clicking suspicious links. It means using strong, unique passwords. It means saving important work somewhere secure. It means asking schools direct questions when incidents happen.

I think that’s the practical middle ground.

Prepare like the digital systems we depend on might occasionally break, because sometimes they will.

And when they do, students deserve clear answers, realistic support, and enough information to make good decisions.

That seems reasonable to me, maybe even overdue.

As always, stay safe, stay informed, and let’s keep looking out for one another.
— Thomas

The Neighborhood Watch

Discussion about this post

Ready for more?