The University of Illinois at Urbana-Champaign, Baylor and Arizona State universities have all reported impacts.
Colleges and universities across the country have postponed final exams and due dates for assignments after Canvas, a learning management system used by 41 percent of North American higher ed institutions, temporarily went offline due to a hack.
![eLearning Industry’s Guest Author Article Showcase [April 2026]](https://cdn.elearningindustry.com/wp-content/uploads/2026/05/eLearning-Industrys-Guest-Author-Article-Showcase-April-2026.jpg "eLearning Industry’s Guest Author Article Showcase [April 2026]")
The University of Illinois at Urbana-Champaign postponed “all final exams and assignments, including papers, projects, etc., scheduled for Friday, Saturday, or Sunday,” provost John Coleman wrote to students and employees Thursday night. He added that, for “consistency and clarity,” the postponement affects all classes—even those that don’t use Canvas.
Baylor University provost Nancy Brickhouse told students and employees her university planned to restore access to its Canvas system at 1 p.m. local time Friday—after Instructure, the company that owns Canvas, restored universities’ access nationally overnight. She said final exams that were set to take place Friday have been rescheduled for Thursday of next week and will be administered online.
“We ask faculty to build in flexibility so that students who are traveling or have other post-semester commitments can complete their exams when their schedules permit,” she wrote. “We recognize that this change presents challenges regarding test security.”
To reduce risks—and in case Canvas goes down again—she asked faculty to export grade books and download important course materials onto their computers, among other things. The exam postponements even affect move-out dates; the deadline for students to leave dorms “remains 24 hours after the completion of their last final exam.”
Arizona State University canceled all exams set to take place on Canvas Friday and Saturday, local TV station 12News reported, adding that instructors will update students on grade adjustments.
And the University of California System said in a statement Thursday that “out of an abundance of caution,” its president’s office “has instructed all UC locations to temporarily block or redirect Canvas access, and Canvas access will not be restored until we are confident the system is secure.” In an update Friday, UC said it’s “making risk-based decisions about when to restore access to Canvas at campuses based on their operational needs.”
The quick institutional responses—and the reluctance by some to tell students and employees they could return to the platform, even after Instructure brought it back online—reflected the widespread uncertainty caused by Canvas’s disruption. In a statement Friday, Cliff Steinhauer, the National Cybersecurity Alliance’s information security and engagement director, said the “breach underscores how deeply schools now depend on centralized digital platforms to keep day-to-day academic operations running.”
“Even if highly sensitive financial information was not exposed, educational records, communications, and identity data can still be valuable to cybercriminals for phishing, impersonation, and future attacks,” Steinhauer said. “Cybercriminals are increasingly incentivized to target large technology vendors and shared service providers because compromising a single platform can provide access to thousands of organizations at once, making it far more efficient and profitable than attacking individual schools one by one. … As attackers increasingly target platforms that cannot afford downtime, the education sector should expect more extortion-driven attacks aimed at maximizing pressure and disruption.”
Earlier this week, the criminal extortion group ShinyHunters claimed its attack on Instructure compromised personal identifying information for 275 million people, including students and employees, across 9,000 K-12 and higher ed institutions worldwide. Canvas said it had resolved the data breach Wednesday, but the next day, students and faculty reported seeing a message in which ShinyHunters said it “breached Instructure (again).” The group said compromised institutions “interested in preventing the release of their data” should “consult with a cyber advisory firm and contact us privately at [the encrypted messaging application] TOX to negotiate a settlement.” It gave institutions and Instructure a Tuesday deadline to make a deal.
On Thursday afternoon, Instructure said “Canvas, Canvas Beta and Canvas Test” were unavailable amid an investigation. By Friday, Instructure said Canvas had been restored.
Instructure didn’t provide Inside Higher Ed an interview Friday or answer written questions. In a statement, it said that on Thursday—the same day the ShinyHunters messages appeared to users—it “discovered the unauthorized actor involved in our ongoing security incident made changes to the pages that appeared when some students and teachers were logged in. Out of an abundance of caution, we immediately took Canvas offline to contain access and further investigate.”
The company said on its website that the “unauthorized actor carried out this activity by exploiting an issue related to our Free-For-Teacher accounts,” and the same problem “led to the unauthorized access the prior week.”
“We have made the difficult decision to temporarily shut down our Free-For-Teacher accounts,” Instructure said in its statement. “This gives us the confidence to restore access to Canvas, which is now fully back online and available for use. We regret the inconvenience and concern this may have caused.”
Source link
#Universities #Suspend #Final #Exams #Canvas #Hack
