Canvas cyberattack disrupts spring semester

Instructure, the company behind Canvas, experienced a “cybersecurity incident” on May 6. Canvas was inaccessible to students for over a day before it was restored. There will be no changes to exam schedules.

A hacking group called ShinyHunters has claimed responsibility for the cyberattack. This is the second time in May that the group has claimed responsibility for an attack on Instructure. The group has threatened to release schools’ data on May 12 if Instructure and schools don’t meet their demands.

The incident affected approximately 9,000 learning institutions worldwide, including other Canadian universities that use Instructure’s software.

The U of A started to transition students and staff to Canvas from the previously used Moodle (eClass) system in 2024. The 2025–26 academic year was the first that all classes were using Canvas.

Canvas service remains limited, the U of A is not sure when full access will be restored

On May 7, the U of A released its first statement regarding the cybersecurity incident. Passwords, dates of birth, government information, or financial information are not stored on Canvas. The university was awaiting further details about “the scope of impact to U of A data, including the volume and types of information involved.”

As a precaution, according to a statement from U of A media relations, the university took Canvas offline.

Early morning on May 8, the university advised users to not attempt to access Canvas.

Later on May 8, the U of A sent an email to students that said the risks to Canvas users were limited. The university also restored limited service on Canvas.

“This is an interim measure for the short-term, and we do not know when Canvas will be fully restored for users,” media relations told The Gateway.

The U of A advised users to avoid messaging and using the chat function on Canvas. The university has limited some functions on Canvas, including third-party platform integration. The U of A said it is advising instructors on alternatives for assignments, quizzes, and communication with students.

Short-term disruptions can still have major impacts, UASU vice-president (academic) says

The Gateway obtained a copy of a document the U of A sent to instructors with recommendations on how to manage the disruption.

The document stated that instructors could consider their course deadlines and delivery depending on how the Canvas disruption impacted their course.

“In times of technical uncertainty, flexibility ensures that the learning objectives remain the priority, reducing student anxiety and fostering a supportive academic environment for instructors and learners,” it said.

The document explained that students can view previously posted materials, but instructors shouldn’t add news materials, including assignments, quizzes, or grades.

The university is recommending instructors use Google Drive to share materials and Gmail to communicate with students. It also recommended that instructors use Google Forms for students to complete quizzes and submit assignments.

The Gateway reached out to U of A Students’ Union (UASU) Vice-president (academic) Susan Huseynova for a comment regarding the cybersecurity attack.

“We have begun conversations about how the university will respond to support students impacted by this, especially those with exam deferrals and those enrolled in spring courses.” Huseynova added that the UASU’s recommendations to students will depend on how long Canvas will be down, as “short periods of time can have major impacts for students during spring courses.”