The end of spring term 2026 was marked by a sudden digital disaster across a large swath of higher education and K-12. A hacking group successfully struck Instructure, maker of the very popular Canvas learning management system*.

It looks like ShinyHunters got into Instructure in early May, possibly April. I think the attack blew up on May 7, when the hackers posted ransom demands across Canvas instance. Instructure posted a maintenance message:

None

By May 9th the system appears to be working again, although much is uncertain, like the possible theft of some data, who paid any ransoms, and more.

Recovery is in process across the world, but it's important to note how much chaos this event strewed across impacted institutions and populations. It came right at semester's end, meaning it threw final exams, final grades, final projects, and graduations into question. The hack hit thousands of colleges, universities, and schools. I've seen figures estimating 40% of American higher ed are Canvas users. One notice claimed 275 million people impacted. Ian Linkletter of the University of British Columbia called it "the biggest student data privacy disaster in history." LMS guru Phil Hill described it as "among the larger education-sector data exposures on record."

This hit me personally. Georgetown University, where I teach in the Learning, Design, and Technology program, uses Canvas at its LMS. My seminar had a lot of documents and other materials in that instance: an updated syllabus, extra reading list, discussion board, a string of announcements, assignment descriptions, assignment grades and comments, and more. Last week I was grading my students' final projects when I could no longer access those materials, much less anything else from the rest of the term.

One student caught onto this before anyone else and took the initiative to email me a note plus copies of their work as links and attachments. I turned that around to request the same from all other students, and they quickly complied. I emailed them back my evaluations of their work. Meanwhile, the university IT department sent us updated, warning us to not sign into Canvas for a while, then cautiously welcoming us back as things resolved.

Not all of my class stuff was in Canvas. Students did writing in a class blog and several Google Docs. I was able to consult those. Campus and personal emails (usually Gmail) worked fine. And campus grades were supported by a separate service, from Ellucian, which was unaffected by the outage. Plus I keep extensive class notes in a Google Doc (5400 words or so). Georgetown IT was excellent, keeping us informed. The campus then shifted some deadlines ahead a few days to give everyone time for recovery.

Back to the big picture. Where does this leave us?

Instructure took a massive reputational hit. As a hosted solution (i.e., campus IT isn't running each instance themselves) it's a single point of failure. Campuses trusted Instructure to maintain services reliably. This outage, especially with its timing, is a major blow to the company's reputation.

There's also a communications problem. The aforementioned Phil Hill posted that Instructure handled things very badly from an outreach and community relations perspective. The company didn't share much information, especially in a timely way. Instead, "[f]or most of the week, the clearest public evidence that the incident had escalated came not from Instructure's own public channels, but from the customers and partners forced to explain the situation to their users." Additionally, "A public FAQ on Day Five of a confirmed-data-exposure cyber incident is not the same as a public statement on Day One."

Phil was referring to this page, "Security Incident Update & FAQs." Since he posted that critique Instructure's CEO, Steve Daly, added an apology in his name and voice. It remains to be seen how people respond.

I've seen critiques of the hack as a result of Instructure being owned by a private equity firm, KKR. Perhaps changes to staffing and operations led to the vulnerability Shiny exploited. More to the point, maybe academics will take up this view.

I've also seen a lot of schadenfreude from faculty who refused to use Canvas or any LMS, instead relying on other tools. I admit to some resonance with this view, personally, as for years I advocated using Web 2.0 applications (blogs, wikis, etc) instead of an LMS. Then I advocated for open source LMSes like Moodle and Sakai.

We might also see followup attacks as hackers use whatever data Shiny exfiltrated from all of these Canvas instances. I've seen reports that they got some or many Canvas direct messages, email addresses, personal names, student ID numbers.

But what might colleges, schools, and universities do?

In the short term, there's a lot of scrambling to make sure all systems work. Some schools will move key deadlines forward. I expect a flurry of phishing attacks based on whatever data Shiny obtained, doing these quickly before targets get ready.

In the medium to longer term? In America, I expect legal action, as we do love filing lawsuits. We should expect colleges and universities to revv up counsel for combat.

Campus IT may well ramp up security measures across the board. I can imagine speeding up password refreshes, doing more pen testing, expanding two-factor authentication, and offering more user education at the very least. Some may use AI for red teaming. I can also imagine IT shops re-checking all of their operations for security, including checking with vendors. Think of the audits. Think, too, of campus IT producing reports for their communities over the summer. (Please allow me this caveat: I'm not an academic technology professional, so could easily be missing all kinds of things. Let us know in the comment box.)

Will institutions lo0k hard at other LMS providers? Switching between LMSes is a major ordeal (one IT leader compared it to moving a graveyard) and academic leaders might not see it as worth the effort, especially coming *fast*, without any advance planning. That said, I expect Blackboard (Anthology) and Brightspace to make plays for more customers now. Moodle may also get a new look.

How many instructors will move away from their institutional LMS? The shock of this hack will surely send many scrambling for personal backups. One professor pondered leaving the LMS and doing something different:

None

I wonder if this attack will push institutions towards computing decentralization. This is an old, old story, where organizations between between centralization and its opposite. Perhaps the Canvas hack marks another turn of that well-worn wheel.

Over to you all now. How did you experience the Instructure hack? How might we respond? I'm eager to learn from you.

*LMS: also VLE, for Virtual Learning Environment.

(thanks to Donna Kidwell and Phil Long; thanks also to the hard-working IT staff at Georgetown University)