New Mexico State University students received a pop-up message on their Canvas home pages on Thursday, May 7. The message stated Instructure, the parent company of Canvas, was hacked in a repeat data breach, putting students’ personal school data in jeopardy. 

 “At this time, please do NOT log in, click on anything, or download any files from Canvas or Canvas-related emails/notifications. Please log out of Canvas until further notice,” an email from NMSU Information Security said. 

According to various reports, the cybercriminal group ShinyHunters allegedly struck down over 9,000 other schools’ Canvas systems in this attack. They allegedly have access to 3.65 TB of information from around 275 million individuals. This includes private messages between professors and students, student ID numbers, and email addresses.  

A warning across the Canvas page from ShinyHunters was shortly removed and replaced with a Canvas message that read: “Canvas is currently undergoing scheduled maintenance. Check back soon.” on the system’s home page. 

Earlier this month, ShinyHunters struck Instructure and reportedly did not receive the resolution they desired from the company. In this breach, ShinyHunters stated that they were “ignored” and were instead covered up with security patches. Before this, cyberattacks from ShinyHunters were performed on Infinite Campus and McGraw Hill, two other popular school information systems that integrate and share data into Canvas. 

“[The warning] urged schools included on the affected list to consult with a cyber advisory firm and contact the group privately to negotiate a settlement before the end of the day on May 12 — or else risk their data being leaked,” The Harvard Crimson said, after Harvard University was listed as one of the 9,000 schools in the breach.  

Both the Canvas website and mobile app are currently unusable to both faculty and students, leaving both groups unsure of their next moves so close to finals week. Especially regarding assignments that are awaiting a grade or have not been turned in yet.  

“If [an assignment] was less than 20 points, I might just say, ‘Hey, forget it.’”Richard Coltharp, a professor at NMSU’s Department of Journalism and Media Studies, said. “But one assignment I have that’s already turned in, but I haven’t graded, if it’s worth 300 points, like more than a third of the whole class. … what I might do is email everybody and say, ‘Hey, can you guys just email me your documents?’” 

NMSU Information Security urges students to wait for an official “all-clear” before attempting to access Canvas again. 

UPDATE

Af of May 8, 2026, NMSU announced in a press release that Canvas was restored for students at 8 a.m. Assignments due on May 7 and 8 were extended to May 11 to support those who were affected by the outage. The release also notified readers that faculty may extend any deadline they see fit.

While the cyberattack left users concerned about whether their information was safe, the university said Instructure reported, “…there is no sign that anyone kept access to the system, accessed NMSU user accounts, or took any additional data.”

As a precaution, NMSU advises faculty members to download their Canvas gradebooks to prevent the loss of students’ progress.