Canvas was available for most users late Thursday night, May 7, 2026, after Instructure placed Canvas, Canvas Beta, and Canvas Test into maintenance mode during a fast-moving cyber incident. But for students, families, teachers, and school technology teams, the practical questions are not over.

The learning platform sits at the center of assignments, grades, course messages, files, quizzes, calendars, and parent communication for many schools. When it goes offline during finals, graduation season, or end-of-year grading, the disruption is immediate. When the outage is connected to a confirmed security incident, the next steps matter even more.

Here is what is confirmed, what is reported, and what students, parents, teachers, and school IT teams should do now.

Key takeaways

  • Instructure’s status page said Canvas was available for most users at 9:17 p.m. MDT on May 7, while Canvas Beta and Canvas Test remained in maintenance.
  • Earlier on May 7, Instructure said it had placed Canvas, Canvas Beta, and Canvas Test in maintenance mode.
  • Instructure previously confirmed a cybersecurity incident involving a criminal threat actor and said it was investigating with outside forensics experts.
  • Instructure said the information involved appears to include names, email addresses, student ID numbers, and messages among users at affected institutions.
  • Instructure said it had found no evidence at that time that passwords, dates of birth, government identifiers, or financial information were involved.
  • The Verge, Wired, and TechCrunch reported that hackers using the ShinyHunters name claimed responsibility and that some school Canvas login pages were defaced. Treat those claims as reported, not fully confirmed by Instructure.
  • Students should document missed deadlines or access problems now, before pages, timestamps, or error messages disappear.
  • Parents and teachers should be alert for phishing that uses real school names, Canvas references, assignment language, or urgency around leaked data.

What Instructure has confirmed about the Canvas incident

Instructure’s official status page is the most important source because it is the company’s own update channel for Canvas service availability. A May 8 check still showed Canvas as a partial outage, with Canvas LMS marked under maintenance, even though the latest incident update said Canvas was available for most users late May 7.

On May 1, Instructure said it had recently experienced a cybersecurity incident involving a criminal threat actor and was investigating with outside forensics experts. On May 2, the company said it believed the incident had been contained, while the investigation continued.

Instructure said the information involved appeared to include certain identifying information for users at affected institutions, such as names, email addresses, student ID numbers, and messages among users. The company also said it had found no evidence that passwords, dates of birth, government identifiers, or financial information were involved. That distinction is important, but it does not mean users can ignore the incident. Names, emails, school IDs, and message context can still be useful to scammers.

Instructure also listed several security steps it said it had taken, including revoking privileged credentials and access tokens associated with affected systems, deploying patches, rotating certain keys as a precaution, and increasing monitoring across platforms.

By May 6, Instructure marked the confirmed security incident as resolved on its status page and said Canvas was fully operational with no ongoing unauthorized activity observed. Then, on May 7, Canvas had a new availability problem. Instructure said it placed Canvas, Canvas Beta, and Canvas Test in maintenance mode, then later updated that Canvas was available for most users while Beta and Test remained in maintenance.

That sequence can be confusing for users. The simplest reading is this: the company marked the original confirmed security incident as resolved on May 6, but Canvas still experienced a major service disruption on May 7 that Instructure addressed through maintenance mode.

What is reported, but still needs careful wording

Several news outlets reported additional claims and activity around the Canvas incident.

The Verge reported that users attempting to access Canvas saw a ransom message attributed to ShinyHunters, and that the group claimed to have data from thousands of schools. Wired reported that thousands of schools were disrupted after Instructure shut down access to Canvas, and that the exact scale and reach of the breach remained unclear. TechCrunch reported that hackers defaced some schools’ Canvas login pages by injecting a message into the portal.

Those reports are significant because they explain why students and schools saw a sudden, visible disruption. But there is a difference between what attackers claim and what a company or school has verified. Attackers may exaggerate numbers, reuse old data, or mix true and unverified claims to pressure victims.

For readers, the safest approach is to follow official updates from your own school and from Instructure while treating unsolicited messages, leaked lists, screenshots, and social posts with caution.

What students should do if Canvas was down or assignments were affected

If the outage hit during a deadline, quiz, final, discussion post, or file submission, act quickly and keep the record simple.

1. Screenshot what you saw

Save screenshots of error messages, maintenance notices, missing assignment pages, failed uploads, blank course dashboards, or any unusual login screen. Include the date and time if your device shows it.

If you submitted something outside Canvas, save proof of that too. Keep copies of sent emails, file timestamps, cloud document history, and any confirmation from your teacher or school.

2. Email your instructor or school through an official channel

Do not rely only on a Canvas message if Canvas is unstable. Use your school email or another official school communication channel. Keep it short:

  • Say which class and assignment were affected.
  • Say what time you tried to access or submit.
  • Attach screenshots if allowed.
  • Ask what alternate submission method should be used.

This is not about blaming anyone. It is about creating a clear timestamped record.

3. Avoid unofficial Canvas links

During a high-profile incident, fake login pages and phishing emails become more likely. Do not click random links from social media posts, group chats, or unsolicited emails that claim to restore Canvas access, verify your account, or show leaked school data.

Use your school’s official website, official app, bookmark, or known single sign-on page.

4. Be careful with reauthorization prompts

Instructure’s status page said earlier that the company reissued certain application keys as a precaution, and that end users may need to reauthorize access to some tools. The company said reissued application keys contain a timestamp in the name and are valid Instructure-created keys.

That does not mean every prompt is safe. If a reauthorization screen looks unusual, asks for more information than expected, or appears after you clicked a link from an email, stop and go through your school’s official Canvas link instead.

5. Watch for school-specific instructions

Your school may set its own rules for deadline extensions, alternate submissions, remote exams, grades, and messaging. A university, high school district, or individual instructor may handle the same Canvas outage differently.

If you are worried about a grade, the best evidence is a calm, specific record of what happened.

What parents should watch for

Parents may not use Canvas every day, but they are likely to receive emails, alerts, and student questions when a school platform goes down.

1. Verify messages through the school

If you receive an email or text claiming your child’s Canvas account, grade record, or school messages were exposed, do not click immediately. Go to the school district or college website directly and look for an official alert.

If the message asks for passwords, payment, gift cards, remote access, or a quick response before data is leaked, treat it as suspicious.

2. Talk to students about phishing without panic

The confirmed types of information Instructure described, such as names, emails, student ID numbers, and messages, can help scammers write believable messages. A phishing email could mention a real class, school, assignment, or teacher.

The advice for students should be simple: do not enter passwords from links in random messages, do not download unexpected files, and ask a teacher or school IT office if something seems off.

3. Save important school communications

If Canvas messages are delayed or unavailable, ask teachers which official backup channel they are using. Save emails about deadlines, schedule changes, make-up work, and alternate submission rules.

What teachers should do now

Teachers are stuck in the middle of a difficult situation. Students need clarity, parents need reassurance, and schools need consistent records.

1. Create one clear backup instruction

If your school allows it, send students one short message outside Canvas explaining:

  • Whether deadlines are extended.
  • Where students should submit work temporarily.
  • Whether screenshots or access-error reports are needed.
  • When you will provide the next update.

The goal is to reduce confusion, not create a second chaotic inbox.

2. Do not ask students to use unofficial tools for sensitive work

If students need to submit personal information, accommodations material, grades-related documents, or private messages, use a school-approved system. Avoid moving sensitive student communication into personal email accounts, random file-sharing links, or group chats.

3. Expect uneven access

Some students may regain Canvas access before others. Some may be on mobile, shared devices, or weaker internet connections. If the assignment matters, consider whether an access issue could have affected completion.

4. Preserve grade and assignment records

If you exported gradebooks, copied rubric notes, or used an alternate submission process, keep those records organized. If your school later asks for incident documentation, clean records will matter.

What school IT and administrators should communicate

School IT teams do not need to solve the whole Instructure investigation for users. They do need to make the next step obvious.

A useful school alert should answer:

  • Is Canvas currently available for this school?
  • Are students and staff required to take any action?
  • What data categories are currently believed to be involved?
  • Is there any evidence that local passwords or single sign-on credentials were affected?
  • What should users do if they see a strange login page, ransom message, or reauthorization prompt?
  • What is the official backup channel for assignments and grades?
  • Where will the school post the next update?

Schools should also remind users that the investigation may change. It is better to say “we do not know yet” than to overpromise.

Was my school affected?

Do not assume your school was affected just because it uses Canvas. Also do not assume it was safe because you did not see an error message.

The best source is your school’s IT office, district alert page, university status page, or official email. Some schools may be directly contacted by Instructure with organization-specific details. Others may still be assessing whether their data was involved.

If you see your school named on a leaked or attacker-controlled list, treat it as a lead, not proof. Attackers have an incentive to create fear and pressure. Wait for your school or Instructure to confirm details.

Does this mean Canvas passwords were stolen?

Instructure said that, at the time of its update, it had found no evidence that passwords were involved. It also said it found no evidence that dates of birth, government identifiers, or financial information were involved.

That is reassuring, but it is not a reason to ignore basic account safety. If your school uses single sign-on, your Canvas password may be managed through the school’s identity system rather than Canvas itself. Follow your school’s instructions before changing passwords, because some schools may prefer a coordinated approach.

If you reused the same password on non-school sites, change those separate accounts. Use multi-factor authentication where available.

What phishing could look like after the Canvas incident

The biggest everyday risk for many users may be follow-on scams. A scammer does not need a password to send a convincing email. A name, school email, student ID, course reference, or message context can make a fake alert feel real.

Be suspicious of messages that say:

  • “Your Canvas data has leaked. Click here to check.”
  • “Your assignment was lost. Upload it here now.”
  • “Your school account will be closed unless you verify today.”
  • “Pay this fee to restore access.”
  • “Download this file to recover your messages.”
  • “Your grade changed. Sign in through this link.”

The safer route is always the same: go directly to your school’s official website or known Canvas login page.

What to watch next

There are three things to watch over the next few days.

First, watch Instructure’s status page for service updates. Canvas availability can change separately from the security investigation.

Second, watch your own school’s alerts. School-specific impact may differ from the global status page.

Third, watch for updated guidance about affected data. Instructure’s investigation is ongoing, and the company said it would notify impacted institutions if its findings changed.

For now, the practical response is not panic. It is documentation, official-channel communication, and phishing caution.

FAQ

Is Canvas still down?

As of Instructure’s May 7 update at 9:17 p.m. MDT, Canvas was available for most users, while Canvas Beta and Canvas Test remained in maintenance. However, availability can vary by school, region, and login method, so check your school’s official status page and Instructure’s status page.

What data did Instructure say may be involved?

Instructure said the information involved appears to include names, email addresses, student ID numbers, and messages among users at affected institutions. It said it had found no evidence at that time that passwords, dates of birth, government identifiers, or financial information were involved.

Should students change passwords?

Follow your school’s instructions first, especially if your school uses single sign-on. Instructure said it had found no evidence that passwords were involved, but users should still avoid password reuse and enable multi-factor authentication where available.

What should I do if I missed a Canvas deadline?

Screenshot the error or maintenance message, save the time and date, email your instructor through an official school channel, attach evidence if appropriate, and ask what alternate submission method is allowed.

Are the ShinyHunters claims confirmed?

News outlets reported claims from hackers using the ShinyHunters name, including claims about affected schools and data. Instructure has confirmed a cybersecurity incident and certain categories of information involved, but readers should separate confirmed company or school updates from attacker claims.

Sources

Related Tadpost coverage