If you logged into Canvas on Thursday, May 7, 2026, you likely saw the spaceship with a robot operating on it. According to the site, Canvas was “currently undergoing scheduled maintenance.” When the note appeared on my screen, I refreshed my page again, again and again. I checked my Wi-Fi, but I still had a connection. As a student who has used Canvas since high school, I had never encountered this before.
It turned out that “maintenance” meant that Infrastructure, the parent company of Canvas, took the site offline to investigate a cyberattack and determine which student information had been breached.
ShinyHunters, a hacking group, claimed responsibility for the breach and threatened to leak data of 9,000 schools and 275 million individuals if schools did not pay a ransom by May 6. After receiving messages from some schools, the group extended the deadline to May 12 “to negotiate a settlement.”
At the University of California, Riverside (UCR), students and faculty were unable to access Canvas for two days, and access to the learning management system was eventually restored on Saturday, May 9, 2026. The cyberattack also affected schools across the UC and California State University (CSU) system, particularly as students were preparing for midterms or final exams.
Since the breach, Infrastructure has stated that the data included student ID numbers, email addresses, names and Canvas messages, but that no sensitive personal information, such as passwords, dates of birth, financial aid or government identification, was compromised.
However, many questions remain about whether this data was permanently deleted and how Infrastructure reached an agreement with the hacker group. Infrastructure has not disclosed whether they paid the hackers or identified who was behind the attack. They also stated that their actions were driven by threats to release the data and admitted there is no certainty that student information has been completely erased.
Infrastructure should be more transparent about what was involved in the settlement with the hacker group and what it is doing to protect student data, which contains highly sensitive personal information.
As more personal data is collected online, it is essential to keep sensitive information, such as grades, financial aid information, email addresses and student ID numbers, confidential. Given that Infrastructure is the main educational management system worldwide, it is responsible for ensuring this security.
If there’s one lesson to take away from this experience, it’s that we might need to rethink our dependence on Canvas.
Cyberattacks on educational platforms have become more frequent, affecting both K-12 schools and universities. In 2022, software provider Finalsite experienced a cyberattack that impacted approximately 5,000 schools. In 2020, ransomware attacks disrupted Baltimore schools in the U.S., leading to the closure of some public schools.
Since the pandemic, learning has shifted increasingly to online platforms. Hackers know that these sites hold valuable information about millions of students and staff, making them an attractive target for data breaches. As awareness of this risk grows, cyberattacks on educational sites will likely continue to rise. Stronger cybersecurity defenses are crucial to safeguarding sensitive data, especially as these platforms become more appealing targets.
Canvas is also the central platform for all course-related activities. It is where students check their grades, access course materials, read announcements, submit assignments and engage with peers on discussion boards. A single shutdown of Canvas disrupted millions of students, leaving them unable to complete coursework or access materials unless their professors contacted them directly.
Interestingly, one of my professors does not use Canvas and instead shares course materials, updates and grades via email. Although the shutdown impacted all my other courses, this class was unaffected.
Moreover, dependence on technology in higher education has increased considerably, with ChatGPT and other artificial intelligence (AI) tools exemplifying this growing trend. The recent platform shutdown highlighted how heavily universities rely on a single system for all courses. This is not to say that universities should return to pre-internet times or ban technology, but Canvas’s monopoly calls for greater action and oversight.
An investigation into Infrastructure should address the system’s security vulnerabilities, including the causes of the failure, details of the hacker group, the student data exposed in the breach and Infrastructure’s agreement with the attackers. Above all, institutions should develop backup plans to avoid future disruptions like this one.
Educators, students and institutions all deserve this safeguard.
