Cyber Incident Victim: UT San Antonio
Date:
May 2026
Location:
United States of America
Summary
The Canvas learning platform experienced unauthorized access that was first detected in the spring, after which an attacker altered course pages and prompted the provider to shut the service down, exposing names, email addresses, student IDs and messages; the hacking group ShinyHunters claimed responsibility and noted prior intrusions at other companies. In response, several institutions adjusted their assessment schedules, with UT San Antonio postponing assignments and exams, another university canceling end‑of‑term tests, a third rescheduling examinations to the following day, and a fourth moving morning exams to midweek, while the platform was restored after the provider closed the vulnerable Free‑For‑Teacher accounts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Unauthorized activity targeting the Canvas learning platform was first detected by Instructure in late April 2026, prompting the company to immediately revoke the intruder’s access. Despite that early response, on Thursday a separate unauthorized actor gained the ability to modify Canvas pages, which forced Instructure to take the entire service offline to prevent further damage. The disruption occurred during the final exam period for many colleges and universities, a time when students were heavily reliant on the platform for course information, assignment submissions, and exam delivery. As a result of the outage, institutions began announcing changes to their assessment schedules, with some canceling or rescheduling exams and others shifting deadlines to accommodate the downtime.
At the University of Texas at San Antonio, administrators responded to the Canvas shutdown by postponing all pending assignments and exams to a “near future date,” aligning their actions with those of peer institutions such as Penn State, Boise State University, Mississippi State, and James Madison University, which similarly canceled, rescheduled, or moved examinations. The article notes that personal information—including names, email addresses, student IDs, and messages—appeared to have been exposed during the breach, although it does not specify whether UT San Antonio’s records were among those compromised. Instructure’s public statements indicated that the attackers exploited a vulnerability associated with Free‑For‑Teacher accounts, a feature that the company subsequently disabled pending further investigation.
By Friday, Instructure announced that Canvas had been restored to online operation after implementing containment measures and confirming that the unauthorized actor’s access had been revoked. The company attributed the breach to the exploited Free‑For‑Teacher issue and stated that the affected accounts remained shut down as a precaution. Concurrently, the Harvard Crimson reported that users attempting to access the Harvard Canvas site on Thursday were redirected to a message from the hacking group ShinyHunters, which claimed responsibility for the intrusion and published a list of impacted schools. No additional details about the group’s motives or further actions were provided in the source material. The narrative concludes with the platform’s return to service and the ongoing efforts by Instructure to secure the environment against similar incidents.