
Image source: screenshot circulating on social media; the attacker’s active IP and onion contact address at the bottom have been redacted.
Still Recovering
As I’m writing this, the Instructure status page still says “Partial Outage.” Canvas itself is back for most users, but the Beta and Test environments are still in maintenance. In other words: you can log in and turn in your assignment today, but this thing isn’t over.
The rough timeline: on the afternoon of May 7, around 14:41 Mountain Time, Instructure started investigating. By 17:37, all three environments — Canvas, Beta, and Test — were placed in maintenance mode. By 21:17, Canvas was back for most users. During the maintenance window, some people who tried to load Canvas didn’t see a login page at all. They saw a ransom note from ShinyHunters. The deadline the attackers set is May 12, 2026.
ShinyHunters has a track record. In recent years they’ve been named in connection with the Snowflake customer data leaks, a string of Salesforce phishing incidents, and more. This time they claim to have hit roughly 9,000 schools globally. The number hasn’t been independently verified, but the geographic spread is real: institutions in the US, the UK, New Zealand, Australia, Sweden, and the Netherlands are all confirmed affected. Several large public research universities in the American Midwest, research-intensive universities in the UK, and comprehensive universities in the Southern Hemisphere are all on the list.
Who Is Instructure, and Why Does Half the World’s Higher Ed Run on Canvas?
Canvas is built by Instructure, founded in 2008 by two BYU graduate students, Brian Whitmer and Devlin Daley. Canvas LMS launched in 2011. The pivotal early win was a 2010 statewide deal with the Utah Education Network — every public K-12 school, college, and university in Utah migrated to Canvas. By 2014, Instructure had crossed 4.5 million users.
The capital story is a textbook ed-tech-SaaS arc. IPO on the NYSE in 2015. Taken private in 2020 by Thoma Bravo for about $2 billion. Re-listed in 2021 under the ticker INST. Taken private again in November 2024, this time by KKR and Dragoneer, for $4.8 billion. Two trips through public-private cycles in ten years. That’s a lot of churn for a company sitting on critical educational infrastructure. Each ownership change is a chance for R&D and security budgets to be reshuffled.
According to late-2024 / early-2025 LMS market estimates, the picture looks like this. In North American higher education, weighted by enrollment, Canvas has roughly 50%, D2L Brightspace 20%, Anthology Blackboard 12%, and Moodle 9%. By institution count: Canvas 39%, Blackboard 19%, Moodle and Brightspace 16% each. In fall 2025, a milestone number showed up: Canvas’s market share for the first time exceeded the next three competitors combined. Globally, Instructure’s own number is over 28 million regular users across roughly 4,000 institutions, with offices in Salt Lake City (HQ), London, Sydney, and São Paulo. Europe is the exception: Moodle holds about 25% there, because open-source plus data localization fits the EU university procurement palate better.
So why did Canvas win? A few reasons. First, cloud-native from day one. When Canvas launched in 2011, Blackboard was still selling on-prem software that schools installed and maintained themselves. Canvas was SaaS from the start, which crushed the competition on uptime, upgrade cadence, and feature delivery. Second, open APIs and LTI integrations got priority early. Plugging Turnitin, Zoom, Panopto, or Respondus into Canvas is genuinely smoother than into Blackboard, and that mattered to procurement committees. Third, instructor UX is just better — the grading flow, SpeedGrader, the assignment-feedback loop. Faculty have a lot of say in selection, and they liked Canvas. And finally, the sales playbook was aggressive: heavy discounting on state and regional contracts, peeling Blackboard accounts off one district at a time.
But the same things that made Canvas win are why this incident is so painful. Deep integration means when Canvas goes down, Zoom recordings, Turnitin checks, and a stack of third-party teaching tools fall over with it. Cloud-native concentration means there’s no “the local server can hold for a few hours” fallback. Market share above the next three competitors combined means switching isn’t a real option — telling a university today to migrate from Canvas to Brightspace is a one-to-two-year project all by itself.
The Boundaries of What Got Out
Instructure’s current statement: the data involved includes names, email addresses, student IDs, and messages between users. It does not include passwords, dates of birth, government identifiers, or financial information.
That distinction matters more than most people realize.
From a compliance perspective, “name + email + student ID” already qualifies as personal data under GDPR. For affected schools in EU member states (Sweden, the Netherlands), that triggers the 72-hour notification clock. “Messages between users” is the more sensitive piece. What teachers and students send each other in Canvas Inbox isn’t small talk — it’s grade appeals, mental-health context, recommendation-letter discussions, disciplinary correspondence. If that gets dumped, the secondary harm is much worse than a leaked email address.
What I personally want to know is the scoping. Was this a database snapshot or only certain tables? How long were the attackers inside before detection? (Dwell time tells you whether this was reconnaissance or automated scraping.) What was the entry path — credential phishing, token replay, or a third-party component in the supply chain? Was data-at-rest encryption actually in effect, and where was the key management layer? Instructure probably won’t disclose any of this in the first week. But the incident report 60–90 days from now will be the most important card on the table at every North American renewal negotiation.
Why This Timing
For North American and UK higher ed, early May is the worst possible week. Final exams, final paper submissions, graduation determinations, transfer application deadlines — anything that needs a timestamped record is jammed into these few days.
The timing was almost certainly part of the pressure. A school can find workarounds for three days without an LMS — push deadlines, accept emailed submissions, run paper exams. But the registrar, the academic-records office, and graduation eligibility processing have to back-fill all of that later, and every step is administrative cost. That business-continuity pressure is itself part of the leverage.
The deeper issue: Canvas has become genuine educational public infrastructure. Whether one company can keep its lights on determines whether thousands of schools and tens of millions of teachers and students can do their day’s work. That concentration was called “scale economies” for the past decade. Today it just looks like a single point of failure.
From a Student’s Point of View
For a lot of students, Canvas is the first tab they open in the morning. Class schedule, assignments, grades, messages with professors. Nobody thinks of it as something that breaks — until the login page becomes a ransom note.
After this, a few habits worth picking back up.
First, local backups aren’t an old-fashioned habit. The drafts of important assignments, email threads with professors, recommendation-letter discussions — keep a local copy where you can. Cloud sync is a convenience, not custody. Treating “the cloud” as if it’ll always be there is a posture that eventually costs you.
Second, account isolation pays off. Don’t reuse passwords between your school account, personal email, and other SaaS services. This breach didn’t expose passwords, but the combination of email + student ID is more than enough fuel for the next round of phishing. Attackers will impersonate the registrar, the library, or the financial aid office. Those messages will look much more convincing than the spam-grade phishing most people have learned to ignore.
Third, leave dual-channel evidence for important deadlines. Assignment submissions, payments, registration cutoffs — if you only have the in-system record, you only have one place where things can go wrong. Screenshot, email confirmation, PDF copy. Thirty seconds of work, and you save yourself a lot of explaining when something does go wrong.
From a Compliance Person’s Point of View
Stepping back from “did this hurt me personally” — the things actually worth writing down are a few inputs into your next risk assessment.
One is concentration risk. If a SaaS service goes dark for a few hours, can your work still run? Wherever you can’t answer, or the answer is “no,” that’s content for the next risk matrix.
Another is how to actually observe vendor security maturity. SOC 2 is the security and controls audit report that an auditor produces; the vendor’s sales team hands it over during procurement to prove “we have controls.” But it’s a document, and the moment it’s published, it’s already stale. It tells you nothing about how the company actually behaves when something goes wrong. Instructure’s update cadence on the status page during this incident, the precision (or evasion) of their wording, the scope of data loss they’re willing to admit to — that’s the more useful material on the renewal table.
A third is the granularity of your data classification. The breach disclosure here puts “user messages” and “passwords / dates of birth” in different baskets, which is the right move — but only if your classification work was done finely enough to begin with. Apply it to yourself: if your system were hit today, could you describe with the same precision “what walked out and what didn’t”? If you can’t, that’s homework you owe.
Finally: timing. The attack landing in finals week wasn’t accidental. Any organization with a clear business rhythm — earnings season, Black Friday, tax season, intake season — should run a “if SaaS X went down today” tabletop exercise before that peak, not as a process formality but as a real run-through of handoff, degraded operation, and emergency channels.
What to Watch Next
May 12 is the deadline the attackers set. Whether or not Instructure negotiates won’t be made public, but expect movement around that date — either the data actually being released, or a new statement, or both.
The next week or two: institutional disclosures. Each school’s IT and Privacy Office will issue their own notice, and those tend to be more specific than the global statement from Instructure.
Sixty to ninety days out: the full incident report. That’s the real material for judging Instructure’s security maturity, and the document that will be cited and re-cited at every renewal negotiation in North American higher ed.
The progress bar is still moving. I’ll update this post — or write a follow-up — depending on what actually happens after the 12th.