Utah-based tech company Instructure hacked, affecting millions of users globally

COTTONWOOD HEIGHTS — The Utah-based company Instructure, which operates the online learning platform Canvas, used globally, was hacked this week in a major cybersecurity breach, affecting potentially millions of students during the height of exam season.

Canvas is an online platform used by hundreds of schools and universities across the globe, and popular among Utah education entities.

Initially, Instructure experienced the data breach on April 25, saying it was "perpetrated by a criminal threat actor," according to a statement from the company on Tuesday.

"While our investigation remains ongoing with the assistance of outside forensic experts, we want to share that your organization has been impacted by a criminal threat actor who has obtained data associated with your account. Based on what we have found to date, the data involved appears to include personal information. At this time, we have found no indication that passwords, dates of birth, government identifiers, or financial information were involved," the statement said.

On April 29, the attacker was detected, and access was revoked, the company said.

"On April 30, as the investigation expanded, we revoked additional suspicious access and addressed the underlying vulnerability. We have found no indicators of an ongoing threat," Tuesday's statement continued.

But on Thursday, all of Canvas was shut down globally due to a hacker message being shown when people tried to use the platform.

"ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it, they ignored us and did some 'security patches,'" the message said.

The message then says schools interested in preventing their data being released should contact them privately to negotiate a settlement and said they have till the end of day May 12 "before everything is leaked."

The message also said Instructure has until that date to contact the hackers.

ShinyHunters is a black-hat criminal hacker and extortion group that formed in 2019 and has in the past hacked AT&T Wireless, TicketMaster, Microsoft and Google.

Several school districts sent out statements Thursday notifying students of the platform's cybersecurity incident, warning them of potential data being breached.

"The Canvas system is currently down and will be restored as soon as the incident is resolved. … In the meantime, teachers will provide flexibility on due dates if student assignment submissions are impacted by the outage," Davis School District said.

The district said it was informed by Instructure that it was among the organizations potentially affected by the incident.

"At this time, the investigation is ongoing, and the company has not yet provided complete information regarding what specific district data, if any, may have been accessed," Davis School District said.

While Canvas contains information such as names, email addresses, student ID numbers and course information, the school district said it does not provide it sensitive information such as passwords, government-issued identification numbers, birth dates, or financial information.

"Instructure has stated there is currently no evidence that this type of information was involved in the incident," the school district said.

Davis School District said no action is required from students or parents at this time, but to be careful of potential phishing or email scam attempts that frequently occur during cybersecurity incidents.

Washington County School District said it received this message from Canvas:

"Based on what we have found to date, the data involved appears to include personal information. At this time, we have found no indication that passwords, dates of birth, government identifiers, or financial information were involved."

Rachel Gardner, who attends Salt Lake Community College, notified KSL she was unable to access Canvas and was worried because she had finals due Thursday.

Higher education institutions are also feeling the impact of the data breach.

A spokesman for the University of Utah said the school has placed a banner on its Canvas platform to alert users about the breach.

"On May 2, 2026, the University of Utah was notified of a cybersecurity incident involving Instructure, the provider of our Canvas learning management system. The university takes this matter seriously and is working closely with Instructure as they coordinate with law enforcement and third-party forensic experts to determine the full scope of the impact," a statement from the university reads.

The university goes on to say that though the investigation is in its early stages, Instructure reports that the data involved appears to be limited to personal information typically found in the campus directory — like names, email addresses and student identification numbers.

"Instructure indicated it is possible that communications contained within the Canvas platform may have been impacted in the incident; however, it has found no evidence that passwords, financial records, government identifiers or dates of birth were compromised," the statement said.

Further north, Utah State University also has responded to concerns over the cybersecurity incident, but said the school doesn't appear to be among those impacted.

"This was not a breach of USU's systems, and Canvas remains fully operational with no disruption to university services," the university said in a statement. "USU is actively monitoring updates from Instructure and assessing any potential impact."

Instructure has not released a statement on the breach as of Thursday, but an employee from the company told KSL the security team was working on resolving the issue.

Related topics