A cyberattack targeting the education platform Canvas disrupted thousands of students during finals season across the Tri-State Area. The attack affected systems operated by Instructure, the company behind Canvas, which is widely used by schools and universities to manage grades, assignments, lecture materials, course notes, and communication between students and teachers.
The hacking group known as ShinyHunters claimed responsibility for the breach on Thursday. According to the group, they gained access to sensitive information including student names, email addresses, ID numbers, and private messages.
New York City Schools Chancellor Kamar Samuels said officials became aware of two separate privacy incidents — one affecting up to seven schools and another linked to a single campus. He stated that New York City Public Schools treats student data protection as a top priority and is working closely with vendors, law enforcement agencies, and NYC Cyber Command to respond to the incident as quickly as possible.
Several universities also reported disruptions. Columbia University said it was investigating the issue after widespread outages were reported, while the university’s Mailman School of Public Health postponed exams and assignments scheduled for Friday. Rutgers University also confirmed it was monitoring the global Canvas outage and coordinating updates for students and staff.
Cybersecurity experts are advising affected users to immediately change their Canvas passwords, along with any bank account passwords that may use similar login details. They also recommend watching for phishing attempts and monitoring credit activity for suspicious behavior.
Instructure later confirmed that Canvas services were restored for most users, although Canvas Beta and Canvas Test remained under maintenance for some time. The company said it discovered an unauthorized actor exploiting a vulnerability connected to its Free-For-Teacher accounts. As a precaution, Instructure temporarily shut down those accounts while investigating the breach and securing the platform.
