When Canvas, the learning management system used by more than 9,000 schools worldwide, went dark during finals week in May 2026, students at hundreds of colleges lost access to exams, assignments, and grades at the worst possible moment. Within hours, the cause became clear: a cyberattack. The group behind it claimed to have stolen 3.65 terabytes of student data from Instructure, the company that builds and operates Canvas, and set a deadline for the company to pay up or watch the data go public. That deadline has now passed.
What has been confirmed
The outage hit during finals season at colleges and universities across the country, cutting off access to coursework, exam portals, and grade books simultaneously. In a security notice posted to its website, Lewis-Clark State College reported that Canvas was unavailable to over 9,000 institutions globally, a figure the college attributed directly to communications from Instructure. That number makes this one of the largest disruptions ever to hit education technology.
Harvard University’s information technology office circulated an internal IT advisory about the incident to its campus community, according to reporting that referenced the advisory’s contents. The notice addressed containment status and urged users to watch for phishing attempts, a common aftershock of large-scale breaches. The advisory was not published on a public-facing webpage, and no direct link to it is available. Its reported existence suggests that elite research universities, not just smaller colleges, considered the risk credible enough to act on internally.
Instructure told its institutional customers that there was no evidence passwords, Social Security numbers, or financial information were part of the compromised data, according to the Lewis-Clark State College notice. Those exclusions, if they hold up under forensic review, would rule out the most immediate forms of identity theft. But 3.65 terabytes is an enormous volume of data. Even without passwords or financial records, a trove that large could contain student names, email addresses, course enrollments, assignment submissions, instructor feedback, and other records that Canvas stores as part of daily academic life.
The Associated Press confirmed the outage’s timing and its impact on finals, reporting that instructors scrambled to find workarounds. Some schools extended deadlines. Others reverted to paper exams or delayed grading entirely. The disruption laid bare how dependent higher education has become on a single cloud platform for nearly every function of instruction.
As the situation developed, the attackers escalated. AP reporting tracked changes on the group’s leak site, including a period when Instructure’s listing disappeared from the page. That pattern is sometimes associated with behind-the-scenes negotiations or ransom payment, though neither explanation has been confirmed. The extortion deadline the hackers originally set has now come and gone.
What is still unknown
The 3.65-terabyte figure comes from the attackers, not from Instructure or any independent forensic review. As of late May 2026, Instructure has not publicly confirmed the volume of stolen data, released a detailed breakdown of which data categories were accessed, or published a formal incident report. The company has not publicly disclosed whether it has engaged a third-party forensic firm, which is standard practice after breaches of this scale.
No law enforcement agency or cybersecurity firm has publicly attributed the attack to a specific group. The incident carries hallmarks of organized extortion operations, but official attribution remains absent. The disappearance of Instructure’s listing from the attackers’ leak site is ambiguous: it could reflect a ransom payment, a tactical pause, or preparation for a broader data release. No one outside the negotiation, if there was one, has confirmed which.
The full list of affected institutions is also unclear. Lewis-Clark State College cited the 9,000-school figure, and Harvard circulated its own internal advisory, but no comprehensive roster of impacted schools has been made public. Smaller colleges with limited IT staff may not have issued any notice at all, leaving their students unaware of potential exposure.
Perhaps most critically, it remains unknown whether the stolen data has actually been released. The deadline passed, but as of this writing in late May 2026, no confirmed public dump of the data has surfaced. That could change at any time.
Why FERPA matters here
Any breach involving student education records at U.S. institutions raises questions under the Family Educational Rights and Privacy Act, the federal law that governs how schools handle student data. FERPA places obligations on institutions, not on vendors like Instructure directly, but schools that contracted with Instructure are responsible for ensuring their students’ records were protected. If the breach exposed personally identifiable student information, affected institutions may face notification requirements and potential investigations by the U.S. Department of Education.
That regulatory dimension adds pressure on both Instructure and its institutional customers to clarify what was taken. Schools cannot assess their FERPA obligations without knowing exactly which records were compromised, and Instructure has not yet provided that level of detail publicly.
What students and parents should do now
Even though Instructure has said passwords were not part of the stolen data, anyone who reused their Canvas password on other accounts should change those passwords immediately. Credential reuse is one of the most common ways a breach at one service leads to account takeovers elsewhere. Turning on multifactor authentication on email, banking, and any other service that offers it adds a second barrier that a stolen password alone cannot bypass.
Students should also expect a spike in phishing emails. Breaches of this size reliably trigger targeted scams, and attackers who hold real student data can craft convincing messages referencing actual courses, instructors, or institutions. Any email urging immediate action on grades, financial aid, or account verification deserves skepticism. Access Canvas and university portals only through bookmarked URLs, not through links in emails, and check sender addresses carefully before clicking anything.
Parents of younger students at K-12 institutions that use Canvas should contact their school’s administration directly to ask whether the institution was affected and what steps are being taken. Schools that have not issued public statements may still have received private guidance from Instructure.
What this means for schools that depend on Canvas
The outage forced colleges to improvise under pressure, and many were not prepared. Universities that rely on Canvas for instruction, grading, and communication discovered during finals week that they had no fallback. Going forward, institutions will need to evaluate whether they maintain local copies of critical course materials, have backup submission portals ready, and have drafted contingency exam policies before the next disruption, not during it.
The breach also sharpens a strategic question that higher education leaders have been slow to confront: vendor concentration risk. When a single cloud platform underpins academic operations for thousands of schools, that vendor’s security posture becomes part of every institution’s own risk profile. Boards and administrators may push Instructure for greater transparency about its security controls, third-party audit results, and incident response history. Some may begin diversifying across multiple platforms to avoid a single point of failure.
For Instructure, the pressure to disclose more will only grow. Affected communities will expect a clear account of how attackers gained access, how long they were inside the network, precisely what data was taken, and what concrete steps are being implemented to prevent a recurrence. The company’s public silence so far has left a vacuum that speculation and attacker claims have filled.
Why the 3.65-terabyte question still hangs over millions of students
The finals-week outage is over. The exams have been rescheduled, the workarounds retired. But the 3.65 terabytes of data the attackers claim to hold has not gone away, and neither have the unanswered questions about what is in it, who is exposed, and what comes next. For millions of students whose academic lives run through Canvas, the breach is not a resolved incident. It is an open one.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
