Cyber Incident Victim: Penn State University
Date:
May 2026
Location:
United States of America
Summary
Penn State University reported that its Canvas learning platform was inaccessible following a cyber attack claimed by the group ShinyHunters, prompting the cancellation of several exams. The attack, part of a broader disruption affecting thousands of schools and universities that rely on Canvas, forced many institutions to postpone or reschedule assessments while Instructure worked to restore service. Unauthorized access to the platform was first detected weeks earlier, and the breach exposed personal information such as names, email addresses and student IDs, with the hackers demanding a ransom to prevent data release. After taking the site offline, Instructure eventually brought Canvas back online, though some campuses continued to experience intermittent access issues.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 4 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
A cyber attack on the Canvas learning management system was first detected in late April when Instructure identified unauthorized activity and immediately revoked the actor’s access. On Thursday, an unauthorized actor made changes to Canvas pages, prompting Instructure to take the platform offline and triggering a widespread outage that affected thousands of educational institutions worldwide. The hacking group ShinyHunters claimed responsibility for the breach, posting a message that threatened to release data unless a ransom was negotiated, and the attack disrupted coursework, examinations and assignment submissions as the end‑of‑year academic period approached. Penn State University informed students on Thursday that “no one has access” to Canvas and indicated that a resolution was unlikely to arrive within the next 24 hours, leading the university to cancel some exams scheduled for Thursday and Friday.
In response to the outage, Penn State announced that Thursday night and Friday final exams had been canceled, and administrators began working with faculty to determine how the cancellations would affect final grading. The university assured students that they could still participate in graduation ceremonies even without final grades from the affected exams. Throughout the disruption, Penn State continued to monitor the situation and communicated updates to students as they became available, while faculty adjusted course plans to accommodate the loss of access to the Canvas platform. By Friday, Instructure reported that Canvas was back online after having shut down Free‑For‑Teacher accounts that had been exploited, and the service was described as “available for most users,” though some institutions still reported lingering outages. The incident impacted an estimated 9,000 institutions globally, with other universities such as the University of Sydney, Mississippi State University, Idaho State University, the University of British Columbia and the University of Toronto also reporting disruptions and taking similar measures to reschedule or cancel exams. The attack underscored the vulnerability of centralized education technology platforms during critical academic periods.