Boise State cancels finals in wake of disruptive cyberattack with global impact
Students and teachers at Boise State University and other colleges in Idaho on Thursday lost access to Canvas, the learning management system used by thousands of educational institutions worldwide, after a reported cyberattack.
Boise State sent an alert Thursday afternoon saying the outage was affecting access for institutions worldwide, and that there were no “available workarounds at this time.” The university has since canceled all final exams scheduled for Friday, and said they will not be rescheduled or negatively impact students’ final grades, according to the university’s systems status webpage. Final presentations and other activities could proceed as planned.
“While the outage primarily impacts teaching and learning activities, staff may also experience disruptions to workflows that rely on Canvas access, including coordination with faculty and students, academic support services, and course-related processes,” the Thursday email said. “University leadership and support teams are actively monitoring the situation and working to assess operational impacts and identify alternative solutions where needed.”
The university acknowledged the outage came at a “critical time” as the spring semester comes to an end. Boise State encouraged students to contact their instructors if they had outstanding assignments due Friday. Finals week at Boise State was scheduled to run Monday through Friday of this week. Grades for all students are due Tuesday. The university said it will provide additional guidance about grading.
Students and teachers at the College of Western Idaho were also impacted by the outage.
Students often access their syllabi, assignments, tests and grades through Canvas.
Canvas has more than 30 million active users, according to Instructure, its parent company. According to CNN, when some users across the country tried to log into Canvas on Thursday, they saw a ransom note on the homepage, signed by the group ShinyHunters, threatening to release information.
In an FAQ on the Instructure website, the organization said it had “detected unauthorized activity” in Canvas on April 29, and revoked that party’s access and launched an investigation. Hackers accessed data including names, email addresses, student ID numbers and messages. Instructure said there was no evidence that hackers stole passwords, dates of birth or financial information.
Again on Thursday, Instructure identified “additional unauthorized activity tied to the same incident.” In response, the company took Canvas offline into maintenance mode temporarily.
“We have since confirmed that the unauthorized actor carried out this activity by exploiting an issue related to our Free-For-Teacher accounts,” the FAQ said. “This is the same issue that led to the unauthorized access the prior week.”
Instructure temporarily shut down those accounts, and said Canvas is fully back online. The most recent update to the status tracker on Boise State’s website from Thursday evening said it remains unavailable.
Instructure said it is working with forensic experts and has notified law enforcement. It is also taking steps to prevent incidents like this from happening again, including “hardening administrative access, token management, permissions, monitoring, and related workflows.”
This story was originally published May 8, 2026 at 9:41 AM.
