What's new since our earlier coverage: Our previous posts covered the initial Canvas data theft disclosed in late April and the early school disruptions. Since then, the situation escalated dramatically on May 7 when ShinyHunters defaced Canvas login pages with live ransom demands — visible to students mid-exam — forcing Instructure to take the entire platform offline. Instructure has since confirmed the attackers exploited a vulnerability in Free-for-Teacher accounts, has permanently shut down that account type, and says the platform is fully restored. The May 12 ransom deadline is still active as of this writing.
If your kid logged into Canvas this week and saw something that looked absolutely nothing like a school assignment — you weren't imagining it, and you're not alone. Millions of students across the country opened their laptops ahead of finals only to find a ransom note staring back at them instead of their course portal. Here's a plain-English breakdown of what happened, what information is actually at risk, and the concrete steps every parent, student, and school administrator should be taking right now.
What Happened, and Who's Behind It
Canvas, the Learning Management System built by Salt Lake City-based Instructure and founded in 2008, is used by tens of millions of students worldwide and is available in over 100 countries. According to Baylor University's notification to students, Canvas "supports learning at 41% of higher education institutions in North America." That reach is exactly what made it such an attractive target.
The group responsible is ShinyHunters, a prolific cybercriminal collective that specializes in data theft and extortion. They typically gain initial access through voice phishing and social engineering — often impersonating IT personnel — and then quietly steal data before going public with demands. Their track record includes breaches of ADT, Rockstar Games, McGraw Hill, Medtronic, 7-Eleven, and Carnival, as well as a 2024 campaign that swept credentials from cloud storage provider Snowflake and was used in follow-on attacks against Snowflake customers including TicketMaster.
The Canvas attack appears to have started as far back as September 2025. Krebs on Security reports that Cloudskope CEO Dipan Mann has documented at least three separate ShinyHunters intrusions into Instructure's environment over the past eight months, including a breach that exposed University of Pennsylvania donor records and internal memos through Canvas-connected access paths — a breach that was largely framed at the time as a "Penn-specific" incident.
The production-scale attack hit on May 1, 2026. When Instructure declared it "contained" on May 2, ShinyHunters apparently still had access. On May 7, they proved it publicly — defacing Canvas login portals at hundreds of institutions with a ransom message that read, per Ars Technica: "ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it, they ignored us and did some 'security patches.'" The deadline for Instructure and individual schools to pay: May 12.
Instructure confirmed the attackers exploited a vulnerability tied to Free-for-Teacher accounts — and has since permanently shut that account type down.
What Data Was Actually Stolen?
This is the question every parent deserves a straight answer to. According to Instructure's official statements, the confirmed stolen data includes:
- Names
- Email addresses
- Student ID numbers
- Messages between users
The company says it has found "no evidence that passwords, dates of birth, government identifiers, or financial information were involved." That's the good news. The less reassuring part: ShinyHunters claims the haul includes data from 275 million people across 8,800 to 9,000 schools, and Krebs on Security notes the group claims it includes several billion private messages between students and teachers.
As Arctic Wolf CISO Adam Marrè told The Record: "The biggest risk after incidents like this is not instant identity theft but scams that surface weeks or months later and appear legitimate." That's the real threat to watch for — highly personalized phishing that references your child's actual school, teachers, or course names.
The Disruption to Schools Was Real and Widespread
The timing couldn't have been more deliberately cruel. The Record confirmed outages and warnings to students from schools including Baylor, the University of Texas, Penn, Iowa State, Duke, the University of Oklahoma, the University of Florida, Northwestern, Princeton, and Ohio State — plus numerous K-12 districts. Ars Technica reports the University of Illinois postponed all finals scheduled for Friday through Sunday, and the University of Massachusetts Dartmouth rescheduled or extended exam deadlines.
6 Steps Parents and Students Should Take Right Now
ZDNet's breakdown lays out practical action items that we'd echo and expand on for families in our area:
Check your school's communication channels. Schools are the first line of notification here — check your institution's website, email, and app for guidance specific to your district.
Change your Canvas password immediately — and any other account where you use the same password. A password manager can generate strong, unique passwords and alert you to future leaks. Don't reuse passwords across school, email, and banking accounts.
Enable two-factor or multi-factor authentication (2FA/MFA) on your Canvas account and any linked accounts. This is the single most effective thing you can do to prevent unauthorized access even if credentials are exposed.
Monitor Have I Been Pwned. It's free at haveibeenpwned.com. The Canvas data may not be indexed there yet, but it's worth bookmarking and checking periodically with any email address associated with the account.
Watch your inbox carefully. Instructure should notify affected users directly — but so might scammers pretending to be Instructure or your school. Look for strange grammar, spoofed sender addresses, or requests to click unfamiliar links. When in doubt, verify through a separate channel.
Keep an eye on financial and credit activity as children get older. Even if no financial data was confirmed stolen now, names and student IDs can be combined with other breached data over time. As Malwarebytes recommends, monitoring credit activity is a smart long-term habit for any student whose data may have been exposed.
What Schools and Administrators Should Do
Instructure itself has recommended that institutions enforce MFA on privileged accounts, review admin access, and rotate API tokens and keys. Beyond that, Malwarebytes advises schools to review their single sign-on (SSO) integrations — because a breach of a platform like Canvas can cascade through any service that trusts its authentication. Schools should also prepare clear, proactive communication templates so that if defacements or data leaks happen again, staff, parents, and students aren't left guessing.
Instructure has confirmed it notified the FBI and CISA, and has brought in external cybersecurity experts. The FBI declined to comment, and CISA did not respond to The Record's inquiry.
The Bigger Picture
This breach follows the 2025 PowerSchool incident, in which Ars Technica reported a breach exposed data from 60 million students at 16,000 K-12 schools worldwide. Education technology platforms represent exactly the kind of high-leverage target that groups like ShinyHunters seek out: breach one vendor, pressure thousands of institutions at once. Charles Carmakal, CTO at Google-owned Mandiant Consulting, confirmed to Krebs on Security that "there are multiple concurrent and discrete ShinyHunters intrusion and extortion campaigns happening right now."
For Yuba City families and school staff navigating this, the core message is: the platform is back up, but the underlying data is still out there. The risk isn't necessarily today — it's the convincing phishing email that shows up in three months referencing your child's real teacher by name.
If you're unsure whether your devices or accounts are properly protected, or if you want help setting up a password manager or enabling MFA, we're happy to walk you through it at Computer Works. Our membership plan also includes real-time protection and safe browsing tools that can help catch phishing attempts before they become a problem.
Stay cautious, keep your software updated, and don't trust any Canvas-related email that asks you to click a link — no matter how official it looks.
