What's new since our earlier coverage: This post consolidates everything confirmed through May 8 — including the Free-for-Teacher account exploit that made the second breach possible, Instructure's notifications to the FBI and CISA, the wave of final exam reschedules at major universities, and ShinyHunters' suspicious disappearance from the leak site — and focuses specifically on what parents, students, and K-12 families should do right now.
If you've logged into Canvas lately — or tried to and couldn't — you've already felt the fallout from one of the most disruptive education cyberattacks in recent memory. The Krebs on Security reporting on this incident is alarming in scope: the cybercrime group ShinyHunters claims to have stolen data on roughly 275 million students, teachers, and staff across nearly 9,000 school districts, universities, and online education platforms. Instructure, the company behind Canvas, confirmed the breach — and then confirmed it happened again.
Here's what parents and students need to understand, and what you should be doing about it right now.
What Actually Happened (And Why It Kept Happening)
Instructure first detected unauthorized access on April 29. They revoked the hackers' access, hired outside cyber experts, and notified affected schools on May 5. On May 6, Instructure's Chief Information Security Officer declared the incident contained.
Then, on May 7, students across the country opened Canvas and saw a ransom demand instead of a login page.
According to The Record from Recorded Future News, the ShinyHunters message said the group had breached Instructure "again" after the company failed to negotiate a ransom. The note urged individual schools to contact the hackers directly by May 12. Instructure pulled the entire platform offline within hours, prompting emergency announcements from Baylor University, Duke, Princeton, Ohio State, Northwestern, the University of Florida, and dozens of other institutions. Several K-12 school districts were also impacted.
Instructure ultimately traced both incidents to the same root cause: a vulnerability related to Free-for-Teacher accounts. As a result, the company shut down all Free-for-Teacher accounts and notified the FBI and CISA. The Record confirmed that no new data was stolen during the May 7 defacement — but the damage from the original breach was already done.
Baylor University noted in its communications that Canvas "supports learning at 41% of higher education institutions in North America." That's not a single school's problem. That's an infrastructure problem.
Making matters worse, security researcher Dipan Mann — founder of Cloudskope — argues this wasn't even ShinyHunters' first successful run at Instructure. He links a September 2025 breach of University of Pennsylvania files, which exposed donor records and internal memos, to a Canvas-mediated access path — meaning ShinyHunters may have been inside Instructure's environment for eight months before the May 2026 attacks became public.
What Was Stolen
Instructure's May 6 statement confirmed that the stolen data includes "certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users." The company said it found no evidence that passwords, dates of birth, government identifiers, or financial information were included.
ShinyHunters, however, claims the haul is much larger — several billion private messages between students and teachers, plus names, phone numbers, and email addresses. Malwarebytes reports the criminals shared a list of 8,809 affected institutions, with per-institution record counts ranging from tens of thousands to several million.
The truth is likely somewhere in the middle — but even the conservative confirmed data set is enough to fuel targeted phishing and social engineering attacks for years.
What Parents and Students Should Do Right Now
1. Start with the official sources
Check your school district's or university's official website for breach notifications — not emails, not social media posts. Malwarebytes recommends verifying any notification that arrives in your inbox before clicking anything. If the message contains unusual links, pressure to act immediately, or requests for additional personal data, go directly to the school's site to confirm.
2. Change passwords — and not just Canvas passwords
If your child (or you) reuses the same password across Canvas, email, gaming accounts, or anything else, change all of them now. Use strong, unique passwords for every account. A password manager makes this manageable for families without relying on memory.
3. Turn on multi-factor authentication wherever possible
MFA makes it dramatically harder for attackers to access an account even if they have the password. If your school or district supports it for parent or student logins, enable it now. Remind kids that one-time security codes are never meant to be shared — not with classmates, not with anyone claiming to be "IT support."
4. Watch for phishing that sounds real — because it will
Adam Marrè, CISO at Arctic Wolf, put it plainly when speaking to The Record: "The biggest risk after incidents like this is not instant identity theft but scams that surface weeks or months later and appear legitimate." Attackers will use real school names, real teacher names, and real course information to craft convincing phishing messages. Be skeptical of any unsolicited email or text asking you to confirm credentials, open an attachment, or pay fees through unusual methods.
5. Consider identity protection for minors
If you're concerned about your child's long-term exposure, Malwarebytes recommends asking your school what monitoring or restoration services are being offered. In the U.S., you can also place a credit freeze on a minor's file to prevent new accounts being opened in their name — even if your child is years away from needing credit, this is worth noting.
What Should Schools Be Doing Differently?
This is the harder question. ShinyHunters is a sophisticated group that Krebs on Security notes typically gains access through voice phishing and social engineering — often by impersonating IT personnel. Charles Carmakal, CTO at Mandiant Consulting (owned by Google), confirmed that "there are multiple concurrent and discrete ShinyHunters intrusion and extortion campaigns happening right now," suggesting Canvas is one target among many.
For K-12 districts and universities, the lessons here are uncomfortable but clear:
- Single vendor dependency is a real risk. When 41% of higher education runs on one platform, a single breach disrupts an entire academic calendar.
- "Contained" announcements need to be earned, not issued. Instructure declared the incident contained on May 2. By May 7, ShinyHunters was redecorating their login pages.
- Free or teacher-tier accounts deserve the same security scrutiny as paid accounts. The vulnerability Instructure ultimately disclosed was tied specifically to Free-for-Teacher accounts — an access tier that likely received less security hardening than the main platform.
- Incident response communication should be transparent. Calling a security-forced outage "scheduled maintenance" — as Instructure initially did — erodes the trust schools and families need to respond appropriately.
A Note for Local Families and School Staff
Whether you're a parent at a Yuba City-area school or a teacher managing coursework on Canvas, incidents like this are a reminder that our digital lives are increasingly managed by third-party platforms we have limited visibility into. If you're uncertain whether your accounts have been compromised, or if you're dealing with unexpected suspicious activity on a device, we're happy to help — that's exactly the kind of thing our team at Computer Works looks into as part of our /membership plan, which includes ongoing vulnerability monitoring and safe browsing protection for the devices you use every day.
Stay skeptical, keep your passwords unique, and when in doubt — go directly to the source.
