2nd Canvas Data Breach Disrupts Exams at Penn State and Beyond

A second unauthorized access incident targeting Instructure's Canvas platform on May 7 has sent shockwaves through higher education, forcing universities including Penn State to cancel exams, restrict platform access, and scramble for contingency plans. The Canvas data breach affecting schools and colleges marks an alarming escalation in attacks on centralized educational technology, putting the sensitive academic and personal data of millions of students squarely in the crosshairs.

What Happened in the Second Instructure Breach

On May 7, Instructure confirmed a second unauthorized access incident affecting its Canvas learning management system. While full technical details remain limited, the breach followed closely on the heels of a previous incident, suggesting that either the original vulnerability was not fully remediated or attackers found a new avenue into the platform's infrastructure.

Instructure stated that the issue was eventually resolved and that Canvas returned to full operational status, with no evidence of ongoing unauthorized access at the time of disclosure. However, that assurance did little to calm the alarm among the thousands of schools that depend on Canvas for course delivery, assessments, and storing sensitive student records.

This second incident is part of a broader pattern of attacks on Instructure. As covered in ShinyHunters Breach Hits Instructure Canvas: Students Exposed, the notorious ShinyHunters hacking group previously confirmed a breach affecting millions of students and educators across institutions worldwide. The May 7 incident compounds that earlier compromise, raising questions about whether adequate security improvements were made in the interim.

Which Schools Were Affected and How

Penn State University was among the most prominently affected institutions, canceling scheduled exams and temporarily restricting faculty and student access to Canvas. The timing proved particularly damaging, as the breach struck during a period when many colleges and universities were in the middle of finals season, when students rely most heavily on the platform for submitting assignments, accessing course materials, and taking online assessments.

Beyond Penn State, California's University of California and California State University systems were also reported to be affected, along with institutions across Virginia and other states. The breach's international scope, touching universities across the globe, underscores how deeply Canvas has become embedded in academic infrastructure worldwide.

For students, the practical consequences went beyond a missed deadline. Exam cancellations created scheduling chaos for graduating seniors and those with time-sensitive academic requirements. Faculty faced the challenge of communicating with students through backup channels on short notice, and administrators had to make rapid decisions about whether to trust the platform while an active investigation was underway.

Why Centralized Ed-Tech Platforms Are a Privacy Risk

The repeated targeting of Instructure highlights a structural problem in modern educational technology: the concentration of sensitive data from thousands of institutions onto a single vendor's infrastructure. Canvas serves an estimated 9,000 or more educational institutions globally. That scale creates an extremely high-value target for cybercriminals, because a single successful breach can yield academic records, personally identifiable information, and potentially financial data from millions of individuals at once.

This is the definition of a single point of failure. When a school system runs its own local infrastructure, a breach is damaging but contained. When thousands of schools outsource their data to one platform, the blast radius of any attack becomes enormous. The ShinyHunters group recognized this when they reportedly claimed to have accessed nearly 275 million records in a related Instructure incident, as detailed in ShinyHunters Claims 275M Records in Instructure Breach.

Regulatory frameworks like FERPA in the United States require educational institutions to protect student records, but the obligations and enforcement mechanisms become complicated when data is held by a third-party vendor. Schools may face liability exposure even though they were not the direct targets of the attack.

How Students and Staff Can Protect Sensitive Academic Data

While institutional security decisions lie with administrators and IT departments, there are concrete steps that students and staff can take to reduce their personal exposure.

Use strong, unique passwords. If you reuse the same password across multiple platforms and Canvas credentials are compromised, attackers can attempt credential-stuffing attacks on your email, banking, or other accounts. Use a password manager to generate and store unique credentials for every service.

Enable multi-factor authentication wherever possible. Canvas and most institutional SSO systems support MFA. Activating it means a stolen password alone is insufficient for an attacker to access your account.

Be alert to phishing attempts. After a major breach, attackers often send follow-up phishing emails impersonating the affected platform or the institution itself. Treat any unsolicited email asking you to reset credentials or verify account details with skepticism. Go directly to the official institutional URL rather than clicking email links.

Monitor your academic and personal records. If your institution confirms that your data was included in the breach, consider placing a credit freeze and monitoring for any signs of identity misuse. Academic records and student IDs can be used in targeted social engineering attacks.

Ask your institution for specifics. Schools have an obligation under FERPA to notify students about breaches that affect their records. Do not wait passively; contact your registrar or IT department and ask directly what data was involved and what protective steps are being taken on your behalf.

What This Means For You

The second Canvas data breach affecting schools and colleges is a reminder that convenience and centralization come with tradeoffs. Millions of students trusted that their academic institutions, and the vendors those institutions rely on, were safeguarding their personal information. That trust has been tested twice in a short period.

For students and educators, the practical priority right now is securing personal accounts and staying alert for follow-on attacks. For institutions, the breach should prompt a serious review of vendor security requirements, data minimization practices, and contingency planning for when third-party platforms go down or are compromised.

To understand the full scope of the attacks tied to Instructure and the threat actors involved, review the detailed ShinyHunters breach coverage linked above. Knowing the origin and methods behind these incidents is the first step toward advocating for stronger protections from the platforms you and your institution depend on every day.