Vesper
ENESFRTR
Log inSign up
Charts
Articles:SportsHealthHistoryTech
Markets
EUR/USD1.1775 0.12%GBP/USD1.3618 0.06%USD/JPY156.66 0.06%USD/CHF0.7772 0.17%AUD/USD0.7244 0.15%USD/CAD1.3672 0.10%USD/CNY6.8157 0.21%USD/INR94.50 0.01%USD/BRL4.9164 0.05%USD/ZAR16.38 0.23%USD/TRY45.36 0.01%Gold$4,715.70BTC$80,675 0.64%ETH$2,326 0.91%SOL$93.13 1.28%
Tech

Canvas learning platform crippled by cyberattack as schools across the US postpone final exams

Ars Technica5 h ago
ShareXWhatsAppTelegramLinkedIn
A server rack in a blue-lit data center
Photo: panumas nikhomkhai / Pexels

The Canvas learning-management system (LMS), operated by Instructure, was hit by a coordinated cyberattack across the United States from 4:30 a.m. Eastern Time on Friday 8 May. The attack coincided with the official start of finals week, and thousands of schools, colleges and universities had to postpone year-end tests. According to Instructure, the attack was a coordinated combination of DDoS and data exfiltration that affected 78% of the system.

Canvas is the largest learning-management system in North America, used by more than 30 million active students and 1.2 million instructors. Affected institutions include Harvard, Stanford, MIT, the University of Texas system, the California State University system, and, for K-12 students, the Los Angeles Unified School District (LAUSD). The total number of students affected was estimated at 14 million in the first 24 hours of reports.

The attack was first noticed at 4:30 a.m. on Friday when the Canvas log-in page failed to respond. Instructure's security team initially assumed it was a performance issue, but a data-exfiltration alert was triggered at 9:30 a.m. The company's Chief Information Security Officer, Sandra Park, told a press briefing: "From the way the first packets were constructed, we concluded this was a planned, sustained attack."

The stolen data has not yet been fully categorised. Park said: "Our biggest concern is the possibility that student identity records and exam answer keys have been stolen. We plan to complete the impact analysis by the end of this week." The company has not yet given an estimate for the cost of identity-protection services for 14 million students. Industry analysts say leaks of this kind tend to add about $280 per user per year for protection.

The FBI's cybercrime division opened an investigation on Friday afternoon. FBI spokesperson Jordan Mitchell said: "We are treating this as a global threat. The identity of the group behind the attack has not yet been confirmed, but the technical analysis shows some indicators consistent with an Eastern European group." The US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory directing federal education entities to temporarily switch to alternative platforms.

Schools' responses varied. Harvard postponed exams to the following week. Stanford received emergency proposals for a paper-and-pencil version. MIT shifted to take-home exams. Most smaller colleges, lacking the resources to reorganise so quickly, simply cancelled exams and decided to grade the term on the basis of midterms and assignments. Some students are anxious that the situation could affect their graduation timing.

In LAUSD, 660,000 K-12 students were affected. LAUSD Superintendent Alberto Carvalho said in a statement on Friday evening: "The infrastructure of our education should not be so dependent on a single platform. This is a broader investment problem." The district will consult a committee on diversifying its education-technology vendors.

The group behind the attack has not yet made a public claim. A preliminary report from the malware-analysis firm Crowdstrike showed the vulnerability used in the attack was tied to an Apache proxy CVE published in March 2026 (CVE-2026-1247). Instructure may not have applied the March patch; CISO Park said the question "is still under review."

The edtech industry has been worried for years about the attack surface that comes with digitisation. An NPR investigation last year reported that 73% of US school districts had suffered some kind of cyber incident in the past three years. The intensity of attacks at the K-12 level reflects America's federal structure, which leaves each district with its own IT budget and tends to leave systems unpatched.

As of May 2026, Canvas's return-to-service timeline is estimated at 72 hours; the breach data analysis is expected to take at least two weeks. Affected schools have decided to extend exams over the week of 14-21 May. For edtech vendors, this incident was read as a warning that they need to sell security resilience to customers as much as price and features. "This sector has reached the time to reconsider security architecture as a business priority," said Stanford education-technology researcher Professor Anita Patel.

This article is an AI-curated summary based on Ars Technica. The illustration is a stock photo by panumas nikhomkhai from Pexels.