The Canvas LMS outage hit 9,000 institutions during finals week — exposing data from up to 275 million users, forcing a ransom payment to hackers, and raising serious questions about LMS vendor trust, security infrastructure, and the growing threat of AI-powered ransomware attacks.
Canvas, one of the most widely used learning management systems in the U.S., was taken offline Thursday, May 8, following a cyberattack on its parent company, Instructure. The platform was restored on Friday, May 9, and is now available for most users — but the fallout from the breach continues to grow, and cybersecurity experts warn the risks are far from over.
According to CBS News, the hacking group ShinyHunters claimed responsibility for the breach, exploiting a vulnerability tied to Canvas’s Free-For-Teacher accounts. Instructure responded by temporarily shutting down those accounts to contain the threat and restore the broader platform.
The timing could not have been worse — the outage hit at the height of finals season, leaving students unable to access course materials, grades, and assignments. Teachers scrambled to find workarounds, and several institutions, including the University of Texas at San Antonio and Penn State, postponed or canceled scheduled exams. Among the many affected schools were UCLA, Northwestern University, Columbia University, the University of Wisconsin-Madison, and the University of Illinois system.
The Scale of the Breach
The scope of what was stolen is staggering. ShinyHunters listed more than 8,800 educational institutions across 10 countries — including the US, Australia, the UK, and Sweden — as victims of the breach. Among the named institutions are Harvard, MIT, Oxford, Stanford, Princeton, Columbia, Cambridge, Cornell, Berkeley, and Georgetown. Major tech companies, including Amazon, Apple, and Cisco, were also allegedly affected, possibly through corporate Canvas deployments used for employee training.
ShinyHunters claimed to have stolen information affecting 275 million individuals, including billions of private messages between students and teachers, and alleged that Instructure’s Salesforce instance was also breached. Instructure confirmed that the data taken includes user names, email addresses, student ID numbers, and messages exchanged between Canvas users, though the company says passwords, dates of birth, government identifiers, and financial information were not involved.
With the ransom deadline set for May 7, at least 47 million students faced potential data exposure if Instructure chose not to pay.
AI Is Making Ransomware Attacks Worse
Perhaps the most alarming dimension of this story comes from Jake Braun, former White House deputy national cyber director and head of the University of Chicago’s Cyber Policy Initiative. Braun confirmed that artificial intelligence was used in the Canvas ransomware attack and warned that personal information may still be circulating despite the deal reached with hackers.
“This ransomware problem is getting worse, not better. And with the use of AI, almost like commoditizing hacking, it becomes very disconcerting,” Braun told ABC7’s I-Team.
Braun said ransomware attacks are one of the fastest-growing and most profitable criminal enterprises in the world, and that we are still only hearing about a fraction of what’s actually happening. “We find out about the big ones like this, but I know in my time at the White House, the big story for us was all the attacks that weren’t being reported, where folks just pay the ransom and move on,” he said.
Braun also raised concern about the vulnerability of young people, specifically. “One of the fastest growing groups in the world that’s getting scammed online is youth, and so, I do wonder what these criminal groups will do with all this data to potentially swindle young people who are in college,” he said.
He added that as an educator himself, he hasn’t opened a single Canvas-related email since the incident because he can no longer trust which communications are legitimate.
A Secondary Threat: Personalized Phishing
The breach doesn’t end with the initial data theft. Cybersecurity experts are warning that the stolen data creates the conditions for a far more dangerous follow-on attack. Doug Thompson of Seattle-based cybersecurity firm Tanium explained that attackers are moving up the data supply chain to platforms that sit underneath thousands of institutions at once, rather than targeting individual campuses.
With access to real names, email addresses, and teacher-student messages, the next wave of phishing will not be generic — it will reference real courses and real conversations, making it far more likely to succeed. Institutions including Columbia, Rutgers, and the University of Nevada, Reno have already warned their communities to be alert to unsolicited emails or messages appearing to come from Canvas or their institution, particularly any requesting login credentials or personal information.
Queensland education minister John-Paul Langbroek confirmed that people who had used Canvas at any time over at least the past six years could be affected.
What to Do Right Now
Braun offered practical guidance for anyone affected by the breach:
• Call your school’s IT department directly to confirm whether any Canvas-related email is legitimate before opening it.
• Enable multi-factor authentication on your account if you haven’t already.
• Only log into Canvas by going directly to your institution’s Canvas URL — do not click links in emails.
Questions About Instructure’s Response
Beyond the breach itself, ed-tech analyst Phil Hill of Phil Hill & Associates raised pointed questions about how Instructure handled communications throughout the crisis. On May 6, Instructure marked the incident “Resolved” on its status page — but by Thursday morning, May 7, users at multiple institutions were blocked from Canvas and instead saw redirect messages from ShinyHunters. By Thursday afternoon, Instructure had taken Canvas offline in response.
For most of the week, the clearest public evidence that the incident had escalated came not from Instructure’s own public channels, but from customers and partners forced to explain the situation to their users. Instructure did not publish a substantive public Security Incident Update & FAQ until late Friday, May 8 — Day Five of a confirmed data exposure.
Hill noted that the May 8 FAQ did not acknowledge the scale of the breach, did not characterize the volume of data taken in any form, and did not address the extortion claims and ransom deadline that drove the May 7 redirect pages. Listing the categories of data involved without acknowledging the scale, he argued, amounts to a partial disclosure presented as a full one.
Hill contrasted this with Instructure’s response to a 2012 Canvas outage, when then-CEO Josh Coates published a frank public post and signed off with a plain-language apology: “We are embarrassed. We are sorry. We will do better.” That kind of signed, public accountability was largely absent this time.
📌 News Update — May 12–13, 2026: Deal Reached, Ransom Paid, But Risks Remain
Instructure announced Monday that it had “reached an agreement with the unauthorized actor involved in this incident.” The company said it received digital confirmation of data destruction in the form of shred logs, and stated that “no Instructure customers will be extorted as a result of this incident, publicly or otherwise,” with the agreement covering all impacted institutions.
Notably, Instructure’s public statement was carefully worded to neither confirm nor deny whether a ransom was paid. That ambiguity was resolved by Jake Braun, who confirmed to ABC7’s I-Team that Instructure did, in fact, pay the ransom — both to recover use of its systems and to have the hackers delete the stolen data.
This is significant in the context of Phil Hill’s earlier criticism of Instructure’s transparency throughout the crisis. From prematurely marking the incident “Resolved,” to publishing a FAQ that didn’t acknowledge the scale of the breach, to now issuing a statement that obscures whether public funds flowing through educational institutions were used to pay a criminal organization, the pattern of incomplete disclosure continues.
Braun warned that despite the deal, pilfered personal information may still be circulating, and many could still be at risk. Verification of data destruction relies entirely on shred logs provided by the threat actor themselves — there is no independent mechanism to confirm the stolen data has been permanently deleted.
“We’re more vulnerable than ever, particularly with how AI is making this so much easier for bad guys. Law enforcement is not resourced to go after these ransomware groups. If we want to actually get a handle on this, we need to be spending a lot more time and energy with federal law enforcement to go after these ransomware groups that are spread all over the world,” Braun told ABC7.
Braun also noted that the Canvas attack is another example of cyber vulnerability not just to criminal actors seeking financial gain, but to nation-states, including Iran, China, and Russia.
What This Means for EdTek Clients
The Canvas LMS outage is a stark illustration of what’s at stake when LMS hosting and security infrastructure isn’t built to withstand sophisticated threats — and when vendor communications fail at a critical moment. The use of AI to power this attack signals that the threat landscape is evolving faster than many organizations are prepared for.
At EdTek Services, we utilize Amazon Web Services (AWS) to host our platforms precisely because security is never an afterthought — it’s foundational. AWS is the only commercial cloud provider certified to handle top-secret government workloads, and that same enterprise-grade protection extends to every platform we host for our clients. AWS supports 143 security standards and compliance certifications — including HIPAA/HITECH, FedRAMP, GDPR, and NIST 800-171 — meaning your learner data is protected under the most rigorous frameworks in the industry. AWS’s latest SOC compliance reports cover 185 services over a full 12-month audit period, demonstrating a continuous commitment to the highest standards in cloud security.
Beyond certifications, AWS provides built-in tools like AWS Config, CloudTrail, and IAM that allow continuous monitoring, logging, and enforcement of compliance policies — the kind of proactive threat detection that can catch and contain a breach before it becomes a headline.
When your LMS is hosted on AWS through EdTek, you’re not just getting a platform — you’re getting an infrastructure designed for organizations that cannot afford downtime, data exposure, or compromised learner trust.
Sources:
CBS News / AP | TechRadar | On EdTech / Phil Hill & Associates | Times Higher Education | Global News | ABC7 Chicago
