School app Canvas breach hits during finals

That is what many students faced when Canvas, the school platform used by colleges, universities and K-12 schools, went down for several hours. The outage came after Instructure, the company behind Canvas, detected unauthorized activity tied to a cybersecurity incident on the platform.

Sign up for my FREE CyberGuy Report

Instructure says it detected unauthorized activity in Canvas on April 29, 2026. The company said it immediately revoked the unauthorized party's access, started an investigation and brought in outside forensic experts.

Then, on May 7, Instructure said it identified additional unauthorized activity tied to the same incident. The company said the unauthorized actor made changes to pages that appeared when some students and teachers were logged in through Canvas.

Out of caution, Instructure temporarily took Canvas offline into maintenance mode to contain the activity, investigate and apply additional safeguards.

Instructure said it later confirmed that the unauthorized actor exploited an issue related to its Free-For-Teacher accounts. The company said this was the same issue that led to the unauthorized access the prior week.

In a statement to CyberGuy, Instructure said, "Instructure discovered the unauthorized actor involved in our ongoing security incident made changes to the pages that appeared when some students and teachers were logged in. Out of an abundance of caution, we immediately took Canvas offline to contain access and further investigate. We have confirmed that the unauthorized actor exploited an issue related to our Free-For-Teacher accounts. As a result, we have made the difficult decision to temporarily shut down our Free-For-Teacher accounts. This gives us the confidence to restore access to Canvas, which is now fully back online and available for use. We regret the inconvenience and concern this may have caused."

That detail is important because it explains how the company says the attacker gained access. It also shows why Instructure took a more aggressive step after the May 7 activity.

The timing made the outage especially frustrating. Students across the country are preparing for finals or already taking them.

Think about how that feels if you are a student. You may need to submit a paper, check exam details or message a professor. Then the system you rely on suddenly stops working.

That is the real-life problem with school tech. When one major platform goes down, the disruption spreads fast.

The group also claimed it had data tied to nearly 9,000 schools and about 275 million people. Those numbers come from the hackers' claims. Instructure has not publicly verified that full scale.

That is worth keeping in mind. Cybercriminals often use big numbers to create panic and pressure victims. However, the confirmed incident is serious enough for schools and families to pay attention.

Based on Instructure's investigation so far, the data taken in the April 29 incident includes certain personal information of users at affected organizations. That includes names, email addresses, student ID numbers and messages among Canvas users. Instructure said it has found no evidence that passwords, dates of birth, government identifiers or financial information were involved.

The company also said that, based on its investigation to date, it has not found evidence that data was taken during the May 7 activity. Still, Instructure said the investigation is ongoing.

Even so, this kind of information can still create problems. A scammer could use a student's school email and Canvas details to send a fake message that looks official.

Yes. Instructure says Canvas is fully back online and available for use. However, Free-For-Teacher accounts remain temporarily shut down while the company works through the issue.

The company also says its outside forensic partner reviewed the known indicators and found no evidence that the threat actor currently has access to the platform.

Instructure says it has revoked privileged credentials and access tokens tied to affected systems. It also says it deployed additional platform protections, rotated certain internal keys, restricted token creation pathways and added monitoring across its platforms.

Many parents may not know how much school life now runs through platforms like Canvas. Students use Canvas to track deadlines, get teacher updates, submit work and read class messages. Teachers use it to manage assignments and communicate with students.

That makes Canvas a tempting target. If criminals can disrupt access or steal user information, they can create chaos quickly. The bigger lesson here is that school accounts deserve the same protection as bank accounts or email accounts. They hold personal details, private messages and information tied to a student's daily life.

Even if passwords and financial details were not part of the breach, students and teachers should still stay alert. Scammers can use names, school emails, student ID numbers and message details to make fake alerts look convincing.

Instructure said it found no evidence that passwords were involved. Even so, follow your school's instructions. If your school tells you to reset your password, do it right away. Choose a strong password you do not use anywhere else. A password manager can help you create and store unique logins for each account. Check out the best expert-reviewed password managers of 2026 at CyberGuy.com.

No real school IT worker should ask for your password or login code. If someone asks for that information, treat it as a red flag. End the conversation and contact your school through an official help desk number or website.

Since Canvas messages may have been involved, think about what you shared there. Did you send personal details? Did you mention another account? Did you share private information with a teacher or classmate? You do not need to panic. But you should stay alert for messages that reference details from your Canvas account.

A breach like this can lead to phishing emails with malicious links or attachments. Strong antivirus software can help block malware, warn you about dangerous websites and protect your devices if you accidentally click the wrong link. Keep it updated on your phone, tablet and computer. Get my picks for the best 2026 antivirus protection winners for your Windows, Mac, Android and iOS devices at CyberGuy.com.

Student and teacher information can end up on people-search sites and data broker databases. A data removal service can help reduce how much personal information is floating around online. That can make it harder for scammers to connect your school email, home address, phone number and other personal details. Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting CyberGuy.com.

If your school confirms that your personal information was involved, identity theft protection can help you spot suspicious activity faster. These services can monitor your personal information, alert you to possible misuse and help you respond if someone tries to use your identity. See my tips and best picks on Best Identity Theft Protection at CyberGuy.com.

Instructure says it notified impacted organizations on May 5, 2026. If a school or institution was affected, Instructure says it will contact that organization's primary contacts directly.

For students, parents and employees, Instructure says the school or institution should be the first point of contact. It also recommends being cautious of unexpected emails or messages about the incident, avoiding suspicious links and reporting anything unusual to the school's IT or security team.

Schools should also warn students and staff about follow-up scams. A breach does not end when the platform comes back online. For students and teachers, the risk can continue through fake emails, fake login pages and scam messages.

Should schools and tech companies do more to protect student and teacher data before a breach puts their privacy at risk? Let us know by writing to us at CyberGuy.com.

Sign up for my FREE CyberGuy Report

Copyright 2026 CyberGuy.com. All rights reserved.