May 11, 2026 Instructure has restored access to its Canvas learning platform after a cyberattack disrupted service for universities and schools worldwide, forcing the company to temporarily shut down its “Free-For-Teacher” accounts after hackers used them to gain access to the system. The breach exposed data including names, email addresses, student ID numbers and messages between Canvas users during an earlier intrusion on April 29.

For several hours on Thursday, students and professors were unable to access assignments, exams and course materials on Canvas, one of the most widely used online learning management systems in higher education and K-12 education. The outage affected institutions globally, including a number of Canadian colleges, universities and school systems that rely on Canvas for coursework, grading and remote learning operations.

Instructure said the cybercriminal group ShinyHunters placed an extortion message directly on the platform after regaining access to parts of the service.

“We have since confirmed that the unauthorized actor carried out this activity by exploiting an issue related to our Free-For-Teacher accounts,” the company said in a public FAQ.

The company did not disclose technical details about the vulnerability but confirmed the attackers initially compromised Free-For-Teacher accounts on April 29. Instructure said it removed the attackers at that time, launched an investigation and brought in outside forensic experts. However, the hackers later regained access and used the platform itself to display ransom-related messages.

The company says it has now fully removed the attackers from its systems.

While Instructure said there is currently no evidence additional user information was stolen during this week’s outage, the company confirmed that data was accessed during the April intrusion. The exposed information included names, school email addresses, student identification numbers and messages exchanged through Canvas between students and educators.

The incident has raised additional concerns because Canvas is heavily used by K-12 schools, meaning some of the exposed records may involve minors.

Cybersecurity group VX Underground noted that while the breach does not appear to involve financial records or highly sensitive personal information, the exposure of educational communications and student-related data could still create legal and reputational problems for both schools and the platform provider.

“Presumably, parents will be outraged, and this will inevitably result in a lawsuit against the schools or Canvas,” VX Underground said.

Some institutions reportedly delayed final exams because of the outage.

Instructure said taking the Free-For-Teacher platform offline was necessary to secure the broader Canvas environment.

“This was a difficult decision because Free-For-Teacher accounts are an important part of our platform, but it was the right step to protect customers and users while we complete additional safeguards,” the company said.

The attack also highlights how education technology platforms have become increasingly attractive targets for cybercriminal groups. Learning management systems now store large amounts of student records, institutional communications and operational data across thousands of schools and universities.

ShinyHunters has previously been linked to large-scale extortion campaigns and is known for using social engineering tactics, including impersonating employees in English-language phone calls to gain internal access to company systems.

The group reportedly claimed to have targeted nearly 9,000 organizations, including school districts and universities, suggesting the incident may affect millions of students and educators globally.

The Federal Bureau of Investigation urged affected users not to respond to ransom demands or unsolicited communications claiming to be connected to the incident.

“By receiving a message, that does not necessarily mean your personal information has been compromised,” the FBI said. “Threat actors often exaggerate or fabricate their access to sensitive or personal information to prompt payment from victims.”

The bureau also warned users to verify any communications through official channels before responding.

Instructure has not commented on whether a ransom was paid. Reports indicate ShinyHunters later removed references to Instructure from its leak site, though the company declined to discuss that development publicly.

For now, Instructure says the platform is safe to use again.

“Our external forensic partner has reviewed the known indicators and found no evidence that the threat actor currently has access to the platform,” the company said.