Instructure took Canvas offline after a cyberattack attributed to the hacking group ShinyHunters, warning of potential exposure across thousands of institutions. The incident has left universities and colleges scrambling during end-of-semester grading windows, with many campuses affected while final exams conclude and end-of-term grades are posted. Instructure said it discovered the incident on April 29 and confirmed the unauthorized actor exploited a Free-For-Teacher account-related issue. The company engaged outside forensic experts and moved quickly to contain access, including temporarily shutting down Free-For-Teacher accounts. According to ShinyHunters, attackers accessed information from 9,000 schools worldwide and threatened to leak data on May 12. Reported impacted data includes names, email addresses, messages sent through Canvas, and student identification numbers, according to the company’s notifications to districts such as Orange County Public Schools. For higher education leaders, the immediate operational risk is instructional downtime and grading delays. The longer-term compliance risk centers on breach response, data governance, and how quickly campuses can document impacts to student and staff data under evolving state privacy expectations.