Canvas outage delays college finals across the country

https://www.axios.com/2026/04/02/ai-college-students-change-majors-poll" target="_blank">Universities across the country are rescheduling or https://www.idahostatesman.com/news/local/education/article315678331.html" target="_blank">canceling finals after a https://apnews.com/article/cyberattack-schools-canvas-instructure-shinyhunters-a0d7719689263e6b5f90d0e633391b5b" target="_blank">cyberattack shut down a learning platform used by thousands of schools for course information and assignments.

The big picture: The attack comes at a critical moment for college students who are cramming for finals — and underscores education's growing reliance on singular technology platforms.

Driving the news: With caps and gowns already purchased at campuses across the country, several universities announced that the shutdown forced them to reorganize or scratch finals.

• Penn State https://www.psu.edu/news/administration/story/widespread-canvas-outage-impacting-penn-state" target="_blank">announced that Thursday night and Friday exams had been canceled.

  Administrators are working with faculty to determine what that means for final grading.

  Students can still walk at graduation even without their finals grades, the university said.

• Boise State University also https://status.boisestate.edu/incidents/864391" target="_blank">canceled Friday's final exams.

  Mississippi State opted to https://x.com/msstate/status/2052718248450220204" target="_blank">reschedule Friday exams for Saturday.

• UT San Antonio https://news.utsa.edu/2026/05/canvas-global-service-disruption-update/" target="_blank">postponed assignments and exams to a "near future date," and James Madison University https://www.jmu.edu/computing/security/canvas_outage.shtml" target="_blank">pushed Friday morning exams to Wednesday.

Catch up quick: Instructure, Canvas' developer, https://www.instructure.com/incident_update" target="_blank">said that "unauthorized activity" was first detected in late April, but that it "immediately revoked" that unauthorized party's access.

• But on Thursday, an "unauthorized actor" made changes to Canvas pages, forcing the education tech giant to take the site offline.

  Personal information like names, email addresses, student IDs and messages appeared to have been breached.

• The Harvard Crimson https://www.thecrimson.com/article/2026/5/8/canvas-breach-down/" target="_blank">reported that students accessing the Harvard Canvas site on Thursday were redirected to a message from cybercriminal hacking group ShinyHunters that claimed it had "breached Instructure" and posted a list of affected schools.
• On Friday, Instructure said Canvas was back online.

  The company said hackers exploited an issue with Free-For-Teacher accounts, which it has since shut down for now.

Our thought bubble: Axios' cybersecurity reporter Sam Sabin says hackers are opportunistic and frequently https://www.axios.com/2023/06/23/software-supply-chain-attacks" target="_blank">target central providers whose compromise can ripple across an entire sector.

• In this case, the target was Canvas — and the more than 8,000 organizations that rely on its services.

Catch up quick: The hacking group that https://www.ransomware.live/id/SW5zdHJ1Y3R1cmUgSG9sZGluZ3MsIEluYy4gKENhbnZhIExNUywgaW5zdHJ1Y3R1cmUuY29tKUBzaGlueWh1bnRlcnM" target="_blank">claimed responsibility has reportedly also gone after https://www.cbsnews.com/news/ticketmaster-breach-shinyhunters-560-million-customers/" target="_blank">Ticketmaster, https://www.wired.com/story/atandt-paid-hacker-300000-to-delete-stolen-call-records/" target="_blank">AT&T and other https://www.bleepingcomputer.com/news/security/mcgraw-hill-confirms-data-breach-following-extortion-threat/" target="_blank">education-related https://tech.yahoo.com/cybersecurity/articles/11-million-students-possibly-risk-171000551.html" target="_blank">companies.

Go deeper: https://www.axios.com/2025/05/07/powerschool-ransom-data-breach-schools" target="_blank">PowerSchool says it paid ransom in December cyberattack