Canvas cyberattack left millions of students locked out during finals week after hacking group ShinyHunters breached Instructure and posted ransom notes on university portals nationwide.
Melanie Topchyan had a quiz due. The University of California, Riverside senior opened her laptop, navigated to Canvas, and found herself staring at something that had nothing to do with her coursework. She missed the quiz. A midterm is coming next week, and the lectures and notes she depends on to prepare for it all live behind the platform that had just gone dark.
That scene repeated itself across hundreds of campuses on Thursday, May 7, when a cyberattack disrupted Canvas, the cloud-based classroom hub operated by Instructure and used by more than 30 million active users at over 8,000 institutions worldwide. Where students expected to find their grades, assignments, and study materials, many found instead a ransom note from a group calling itself ShinyHunters.
The note was defiant. “ShinyHunters has breached Instructure (again),” it read, surfacing on the accounts of students from Washington State to the Eastern Seaboard. The group claimed the company had brushed off an earlier intrusion with cosmetic fixes rather than genuine remediation. “Instead of contacting us to resolve it they ignored us and did some ‘security patches,'” the message continued, before issuing a deadline: the company had until the close of business on May 12 to respond or face further data exposure.
By late Thursday night, Instructure announced that Canvas had been restored for most users. But the damage to the academic calendar had already been done. Exams were postponed. Deadlines were extended. James Madison University moved its Friday exams to the following Wednesday. Professors at schools nationwide had scrambled to email materials to students through whatever alternative channels they could find.
How the Day Unfolded for Students: Canvas Cyberattack
For Anish Garimidi, a junior at the University of Pennsylvania, the outage hit mid-study session. He was logged out of his account without warning. The professors in his courses moved quickly, sending materials through email and other channels, but the disruption rattled him in a way that is difficult to separate from the pressure of the season.
The biggest cause of fear and anxiety in me is that I was deprived of significant resources to study and do the best.”
Georgetown sophomore Minhal Nazeer had already traveled back to Kentucky, having arranged her entire end-of-semester schedule around the assumption that all of her remaining work would be completed online through Canvas. When the platform went down, some of her classmates panicked. Nazeer took a more measured view — her work was in good shape, and the deadline extensions professors offered gave her a bit of breathing room she did not expect.
Not everyone could afford that equanimity. A Columbia University senior, who asked not to be identified, described the timing as the “most inopportune” imaginable. Many students, he said, had been caught in the gap between end-of-year celebrations and the moment when the reality of exams sets in — and suddenly the notes and study guides they had been planning to assemble were out of reach.
For Melanie Topchyan at UC Riverside, the immediate loss was concrete: a missed quiz, and a midterm on the horizon for a demanding course she has been navigating through the platform all semester. Canvas is not just a convenience for students like her. It is the infrastructure of how modern college coursework actually functions.
Who Is ShinyHunters?
The name ShinyHunters has surfaced in cybersecurity investigations and federal courtrooms for several years. In 2024, the group claimed responsibility for hacking Ticketmaster and attempting to sell user data through dark web marketplaces. That same year, the U.S. Department of Justice announced the sentencing of one identified member, describing the group as a notorious international hacking crew. Court documents showed that a user operating under the ShinyHunters name had posted stolen data from more than 60 companies for sale on dark web forums, threatening to release sensitive files if victims refused to pay.
Earlier in 2026, Mandiant — the cyber-intelligence firm owned by Google — reported a rise in activity consistent with past ShinyHunters operations. Researchers described a pattern in which attackers use sophisticated voice phishing calls and fake company-branded login pages to harvest employee credentials, then use that access to steal data from cloud-based platforms before demanding payment.
For all the chaos Thursday produced, there was a kind of institutional resilience on display as well. Professors found workarounds. Universities communicated quickly with students. James Madison rescheduled. Georgetown extended deadlines. The system absorbed the shock, even if imperfectly.
But for students like Melanie Topchyan, who missed a real quiz on a real day that will not be handed back to her, the abstract language of cybersecurity incidents lands differently. A platform that is supposed to be infrastructure — invisible, reliable, always there — became the story of their finals week instead.
Instructure has not responded to requests for comment. The May 12 deadline set by ShinyHunters continues to approach.