Last Thursday, as students at the University of Maryland prepared for finals week, many logged onto Canvas expecting to review lecture slides, study materials and assignments. Instead, they found themselves locked out.
“At first, a few people who tried thought it was just a glitch or that their Canvas [account] specifically wasn’t working,” recalls Andreas Burstein, a junior double majoring in economics and finance at Maryland. “And then everyone was like, ‘Oh yeah, it’s not working.’”
The timing was brutal. Finals began Monday, May 11 at Maryland, and many students had planned to spend last Thursday night studying. The university put out an alert to the campus community that evening, but Burstein says students initially learned more from social media accounts like Barstool Maryland and MarylandChicks, run by fellow students. Barstool’s Instagram page posted a data hostage message from the self-proclaimed perpetrators, ShinyHunters, with the words “CANCEL FINALS” emblazoned across the top.
“A lot of my friends were very stressed out about it,” Burstein says. “All your course materials are on Canvas.” The cloud-based learning management system is used by more than half of higher education institutions in North America, including every Ivy League school, according to the website of Canvas’ parent company, Instructure.
For Burstein’s roommate, who had finals scheduled on Monday, Tuesday and Wednesday, the outage created hours of uncertainty as he waited for study materials to return. Burstein, who had a few more days before his finals began, confesses there was one temporary upside. “It was a great way to justify procrastinating.”
Canvas was restored by Friday morning, but the disruption exposed how dependent colleges have become on third-party educational technology platforms—and how quickly students can be left scrambling when those systems fail.
Asking for comment, the University of Maryland pointed Forbes to a set of FAQs it issued Monday, saying it has extensive backup procedures, including downloading all data from Canvas to an archival server on a daily basis. Of course that didn’t help students looking for their study materials Thursday night.
Cybersecurity experts say the incident should be a wake-up call for both colleges and students.
Colleges Should Practice for Outages
Many colleges invest heavily in trying to prevent cyberattacks. Maryland, for example, said in its FAQs that it routinely hires outside companies to conduct security testing of its systems.
Fewer colleges spend enough time preparing for what happens after a hack succeeds, says Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance. “With many businesses, your readiness reflects your preparedness and your imagination. Organizations who stand up a lot of defenses but never practice the incident are less ready than those who do.”
Colleges should regularly run incident-response exercises that force leaders to think through scenarios before they happen, he says. “If you haven’t thought of this scenario, or any kind of scenario, and you haven’t practiced, then you’re going to be caught on the back foot when it does happen.”
Examine Third-Party Risk
The Canvas disruption also highlighted how reliant colleges are on outside vendors. Third-party risk management is key, even when a vendor is as large as Canvas. “There’s an expectation from universities that they’re purchasing something that’s going to be safe and secure,” notes Steinhauer. But as many schools found out last week, that’s not always the case.
In fact, the schools should have already been on notice about the problem. In 2023, the infamous Russian ransomware gang Clop exploited a vulnerability in MOVEit, a third-party program used to transfer big files, often containing confidential information. Hundreds of colleges and universities were among the thousands of organizations affected.
Educational institutions need to better understand what protections vendors have in place—and what happens when those vendors rely on additional outside providers of their own. “There are downstream effects throughout the supply chain that you have to have analysis and awareness of,” Steinhauer warns.
Even schools with very tight budgets can take lower-cost steps, including keeping track of what vendors they use, reviewing who has system access and developing clearer response plans, he adds.
Be Smart About Communications
Burstein said one of the most frustrating parts of the outage for students was the initial uncertainty. But Steinhauer says institutions need to be careful with their communications during an attack so they don’t share details that could worsen security vulnerabilities.
And some institutions also don’t want to open themselves up to liability. “Lawyers get involved, cyber insurance gets involved, and sometimes the communication becomes more generic,” Steinhauer observes.
The University of Maryland said it issued five updates during the 19 hours ELMS-Canvas was unavailable and provided guidance to faculty after the outage.
Students Should Be Alert for Phishing Attempts
“There is definitely a little bit of worry,” around what student data was stolen, Burstein says. “There is a lot of information on people [in Canvas], especially how they’re doing in class.”
While students don’t need to panic, they should be especially cautious after major breaches because scammers unrelated to the original hack often try to take advantage of the confusion and fear that a big, well-publicized hack generates.
“Bad guys like to impersonate the actors in this scenario,” Steinhauer explains. “If you’re a student and you get an email [purportedly] from Canvas or from your school district, teacher, professor or other third party referencing this attack, you cannot trust that that message is authentic,” he warns. Students should avoid clicking links in emails, texting unknown numbers or sharing personal information over the phone. Instead, they should navigate directly to official school websites or known accounts. (This sort of official looking message is known as imposter fraud, and it’s the most common type of scam reported to the Federal Trade Commission.)
Change Passwords—and Maybe Freeze Credit
Students—and those who monitor college systems—should update passwords immediately. Steinhauer also urges students and universities to enable multi-factor authentication wherever possible. “Doing that for every account is super important,” he said.
Even for colleges that have less funding available, these two steps are a good baseline for better online safety. “A lot of organizations or IT teams push back on multi-factor authentication because there can be friction with their users,” he says. “They don’t want to set it up or do it, but it’s table stakes in 2026.”
And for students worried about identity theft, he recommends freezing credit.
Meanwhile, the Canvas hijack has prompted some Maryland students to change how they prepare for finals.
“I’ve seen people already download slides into PDFs to make sure, if something like this happens, they still can study,” Burstein reports.
More on Forbes
