Canvas educational platform hacked in massive cyberattack affecting 275 million users
Instructure reached an agreement with hackers to delete stolen data from Canvas after a cyberattack affecting millions of students.
Objective Facts
In early May 2026, Canvas LMS, a learning management system operated by Instructure, was affected by a data breach after an unauthorized actor gained access to certain user data, including names, email addresses, student ID numbers, and messages amongst users. On May 7, Canvas was hacked again when ShinyHunters replaced its login page with a ransomware message, threatening to release Canvas's sensitive data unless its ransom was paid by the end of May 12. Instructure struck a deal with the hackers to delete the data, with CEO Steve Daly issuing an apology. The company did not provide any details on the agreement, including whether it involved a payment. In Australia, ABC News reported that universities, vocational providers, and some state schools were affected, and that the federal government's National Office of Cyber Security was coordinating a response, while the University of Oxford warned students and staff that Canvas remained offline, with no confirmed date of return.
Left-Leaning Perspective
State of Surveillance reported that Instructure's status page showed 100% uptime on a day Canvas was down at hundreds of institutions, its CEO said nothing for 12 days, and it took getting hacked a second time to produce public acknowledgment that the first hack was serious. Legal analysis from advertising law experts noted that plaintiffs alleging Instructure failed to implement adequate security procedures despite having financial resources to prevent the breach. The House Homeland Security Committee's demand for a briefing signals congressional concern about corporate accountability in educational cybersecurity incidents. CEO Steve Daly apologized over the weekend for the company's inconsistent communication and deficient public response, stating you deserved more consistent communication from us and we didn't deliver it. Progressive coverage emphasized failures in transparency and the company's initial silence during the crisis. Left-leaning outlets largely focused on corporate negligence, the inadequacy of Instructure's response infrastructure, and the broader systemic risks of centralized educational platforms, while downplaying the technical complexity of preventing determined ransomware attacks and emphasizing vendor accountability over external threat sophistication.
Right-Leaning Perspective
CBS News reported that Instructure acknowledged there was no way to be sure the data was erased for good, and said it took action because of concerns about potential publication of the data. According to CyberInsider, Instructure confirmed attackers exploited a vulnerability in the Free-for-Teacher system, and CEO Steve Daly admitted the firm went quiet while attempting to verify technical details and said the company failed to provide consistent updates schools and educators expected. Business and tech-focused outlets acknowledged the difficult position of ransomware victims while noting the company's rapid containment efforts. Associate professor Ahmed stated that paying a ransom is an extremely difficult decision for any victim, but offers no guarantee that stolen data will be protected. Center-right cybersecurity analysis emphasized the company's dilemma: negotiating with criminals versus leaving students' data at risk, while acknowledging Instructure worked with forensic partners and law enforcement. Right-leaning coverage downplayed systemic corporate negligence narratives, instead emphasizing the sophistication of ShinyHunters and the inherent difficulty of defending cloud platforms against determined criminal syndicates, while giving Instructure credit for its settlement resolution.
Deep Dive
The Canvas breach represents a cascade failure across multiple levels: technical security (vulnerability in Free-For-Teacher accounts), organizational communication (initial silence and false status page updates), and ultimately strategic (negotiation with criminals). The specific angle of this story is not just the breach itself, but Instructure's response—particularly CEO Steve Daly's May 11 apology and the company's undisclosed settlement with ShinyHunters. Instructure's May 6 announcement that the situation was "resolved" proved premature. On May 7, ShinyHunters claimed it had hacked Instructure again and faulted the company's response to the previous attack: Instead of contacting us to resolve it they ignored us and did some security patches. This escalation from ransom demand to active service disruption forced Instructure's hand. Daly's apology acknowledged the core failure: choosing fact-gathering over stakeholder communication during a crisis affecting 30 million users across 8,000 institutions mid-finals season. The disagreement centers on whether this was an honest tactical error or institutional evasiveness. Left critics emphasize that a company with Instructure's resources and 12 days of knowledge should have provided hourly updates; defenders note that early crisis communication with incomplete information risks panic. The settlement itself remains opaque. The company acknowledged there was no way to be sure the data was erased for good, yet whatever Instructure paid, it paid with someone else's money, as most publicly traded companies carry cyber insurance with ransomware riders, with premium increases hitting next renewal and costs ultimately passed to schools and students. This creates a perverse incentive structure critics emphasize. What remains unresolved: there is no independent confirmation the data was actually deleted, requiring trust in ShinyHunters' word. Forthcoming litigation and regulatory investigations from the House Homeland Security Committee will likely focus on whether Instructure's vulnerability management met industry standards and whether communication decisions violated disclosure obligations to affected institutions.
Regional Perspective
In Australia, ABC News reported that universities, vocational providers, and some state schools were affected, with the University of Melbourne, University of Technology Sydney, RMIT, Griffith University, Adelaide University, University of Canberra and the Queensland University of Technology offering extensions on assignments to affected students. Queensland Education Minister John-Paul Langbroek confirmed that all students and staff at state schools since 2020 have had their personal details compromised in the Canvas breach. In the UK, the University of Oxford warned students that Canvas remained offline with no confirmed return date, and students experienced difficulties accessing exam papers. Australian cybersecurity experts noted that hackers increasingly target companies with global customer bases and financial capacity to pay large ransoms, with numerous Australian universities confirming staff and students regained access but warning users to be wary of potential increases in scam emails and phone calls. Educational institutions in the United States, Canada, United Kingdom, New Zealand, Australia, Sweden, the Netherlands, Hong Kong, and Singapore reported disruption, outage, and potential exposure of user information. Regional media in Australia and the UK emphasized the particular vulnerability of students during exam season and called for government cybersecurity coordination, with Queensland Teachers' Union calling for investigation into what caused the breach and how similar attacks could be thwarted. Regional coverage diverged from Western narrative emphasis on Instructure's communication failures by focusing instead on practical institutional responses—assignment extensions, phishing warnings, and government coordination. Australian outlets particularly emphasized the reach of state education systems affected and the priority given to vulnerable student populations in notification processes, while UK coverage highlighted the immediate impact on exam access and the precautionary approach institutions took. International perspectives framed this as a systemic vulnerability in centralized educational technology rather than primarily as a corporate communication failure.