Canvas Cyberattack Forces Universities to Reschedule Final Exams

On Thursday, May 30 2025, a coordinated cyber incident hit Instructure's Canvas learning management system, displaying a ransom note from an unidentified cybercriminal group to students at several major universities. The message, which appeared as an overlay on the platform’s homepage, warned that the attackers had gained access to institutional data and threatened to publish stolen files unless a ransom was paid. Instructure confirmed the breach later that day, stating that the attackers exploited a vulnerability in a third‑party OAuth integration used by many schools for single‑sign‑on (SSO) authentication.

Affected institutions—including the University of Michigan, Arizona State University, and the University of Texas at Austin—immediately responded by postponing final examinations and disabling Canvas access while forensic investigations were launched. The universities issued statements noting that no academic records or personal data had been confirmed as exfiltrated, but they urged students and faculty to monitor their accounts for suspicious activity. Instructure has engaged a leading incident‑response firm and is collaborating with the FBI’s Cyber Division to trace the source of the attack.

Security researchers suspect the incident is a supply‑chain attack, as the compromised OAuth plugin is a widely used component across the Canvas ecosystem. The vulnerability, now patched, allowed the attackers to inject malicious JavaScript that displayed the ransom note without requiring user credentials. Instructure is recommending that all customers review their integration settings, enforce additional multi‑factor authentication, and apply the latest security updates. The breach underscores the growing risk of third‑party services in educational platforms and highlights the need for robust vendor‑security assessments to prevent similar disruptions in the future.