Cyber Incident Victim: Boise State University
Date:
May 2026
Location:
United States of America
Summary
A cyberattack on the Canvas learning management system led to unauthorized access to user data, including names, email addresses, student IDs and messages, prompting the provider to shut down the service. The disruption forced several institutions to adjust or cancel end‑of‑term assessments, with Boise State University canceling its scheduled exams. The provider said the breach originated from a vulnerability in Free‑For‑Teacher accounts, which it has since disabled, and that the platform was restored after the incident was contained.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Unauthorized activity on the Canvas learning platform was first detected by Instructure in late April 2026. Upon detection, Instructure immediately revoked the unauthorized party's access to the system. Despite that action, on Thursday May 6 2026 an unauthorized actor made changes to Canvas pages, prompting Instructure to take the site offline. The disruption exposed personal information such as names, email addresses, student IDs and messages, which appeared to have been breached. Students who accessed the Harvard Canvas site on that Thursday were redirected to a message from the hacking group ShinyHunters claiming responsibility for the breach and posting a list of affected schools. The group asserted that it had "breached Instructure" and used the platform to broadcast its claim.
The outage coincided with the final exam period, forcing several universities to adjust their assessment schedules. Penn State announced that Thursday night and Friday exams were canceled, with administrators working with faculty to determine implications for final grading. Boise State University also canceled its Friday final exams as a direct result of the Canvas shutdown. Mississippi State opted to reschedule its Friday exams to Saturday, while UT San Antonio postponed assignments and exams to a near‑future date. James Madison University moved its Friday morning exams to Wednesday to accommodate the disruption. Penn State noted that students could still participate in graduation ceremonies even without receiving final grades for those exams.
Instructure reported that Canvas was restored and back online on Friday May 7 2026. The company explained that the attackers had exploited a vulnerability in Free‑For‑Teacher accounts, which it subsequently shut down pending further review. Instructure emphasized that the unauthorized access revoked in late April had been reinstated by the attacker before the Thursday incident, leading to the second breach. Throughout the incident, affected institutions communicated with students and faculty about schedule changes and grading adjustments. No further details about data misuse or additional compromise were provided in the source material.