Penn State academics disrupted during finals week due to worldwide cyberattack
AI-generated summary reviewed by our newsroom.
- Penn State reported Canvas outage during finals week due to a security incident.
- ShinyHunters claimed the breach and urged affected schools to negotiate settlements.
- Instructure said Thursday night it anticipated being back up “soon.”
Penn State students lost access Thursday during finals week to important academic website Canvas after a recognized cybercriminal hacking group claimed responsibility for breaching the parent company, Instructure.
Penn State released a statement Thursday evening confirming that the Canvas disruption is impacting students due to a “security incident affecting Instructure.” Canvas is an online learning platform used by schools to manage classes, assignments and grades.
“Out of an abundance of caution, users should avoid interacting with or clicking on any links, messages, or content that may be posted by threat actors or appear suspicious during this event. Penn State will never direct users to unverified third-party sites for Canvas-related communications or remediation activities,” the university wrote.
It was not immediately known when service might be restored, but the university said in an email to faculty that it “likely” did not expect Canvas to be available by Friday. As a result, all tests in the Pollock Testing Center on Thursday evening and Friday were canceled.
Penn State added that grading adjustments will be made, depending on how long it takes to resolve the issue. Faculty are advised to be as “flexible as possible” and supportive of students in navigating this challenge with graduation approaching. The university added that students may still participate and walk in commencement even if they have not received final grades.
The university is among thousands of schools reportedly targeted by the hacking group ShinyHunters, a group known for large-scale data breaches and extortion campaigns targeting major companies. The group first announced a breach on Instructure on May 3 and, according to respected technology website TechCrunch, a separate breach appeared to have occurred by Thursday.
Canvas users encountered a message Thursday that stated the group had once again breached Instructure and accused the company of ignoring their outreach demands and instead implementing “security patches.” It urged affected schools to consult with a cyber advisory firm and contact the group privately to negotiate a settlement before the end of the day on May 12 — or risk their data being leaked.
The compromised data reportedly came from 275 million students and teachers, across 9,000 schools, including billions of private messages, email addresses and student ID numbers.
As of 9:30 p.m. Thursday, Instructure reported that Canvas remained down and was in maintenance mode. “We anticipate being up soon, and will provide updates as soon as possible,” a note from Instructure’s status page read.
Penn State said it will provide more updates as additional information becomes available.
This story was originally published May 7, 2026 at 9:33 PM.
