Massive education breach disrupts schools nationwide - Canvas platform under attack: A parent & Student survival guide. ShinyHunters hacked Canvas just before finals, exposing data from 275 million students across nearly 9,000 schools. Here's exactly what was stolen, what it means for your family, and six steps to protect yourself right now. What's new since its earlier coverage: Its previous posts covered the initial Canvas data theft disclosed in late April and the early school disruptions. Since then, the situation escalated dramatically on May 7 when ShinyHunters defaced Canvas login pages with live ransom demands - visible to students mid-exam - forcing Instructure to take the entire platform offline. Instructure has since confirmed the attackers exploited a vulnerability in Free-for-Teacher accounts, has permanently shut down that account type, and says the platform is fully restored. The May 12 ransom deadline is still active as of this writing. If your kid logged into Canvas this week and saw something that looked absolutely nothing like a school assignment - you weren't imagining it, and you're not alone. Millions of students across the country opened their laptops ahead of finals only to find a ransom note staring back at them instead of their course portal. Here's a plain-English breakdown of what happened, what information is actually at risk, and the concrete steps every parent, student, and school administrator should be taking right now. What happened, and who's behind it. Canvas, the Learning Management System built by Salt Lake City-based Instructure and founded in 2008, is used by tens of millions of students worldwide and is available in over 100 countries. According to Baylor University's notification to students, Canvas "supports learning at 41% of higher education institutions in North America." That reach is exactly what made it such an attractive target. The group responsible is ShinyHunters, a prolific cybercriminal collective that specializes in data theft and extortion. They typically gain initial access through voice phishing and social engineering - often impersonating IT personnel - and then quietly steal data before going public with demands. Their track record includes breaches of ADT, Rockstar Games, McGraw Hill, Medtronic, 7-Eleven, and Carnival, as well as a 2024 campaign that swept credentials from cloud storage provider Snowflake and was used in follow-on attacks against Snowflake customers including TicketMaster. The Canvas attack appears to have started as far back as September 2025. Krebs on Security reports that Cloudskope CEO Dipan Mann has documented at least three separate ShinyHunters intrusions into Instructure's environment over the past eight months, including a breach that exposed University of Pennsylvania donor records and internal memos through Canvas-connected access paths - a breach that was largely framed at the time as a "Penn-specific" incident. The production-scale attack hit on May 1, 2026. When Instructure declared it "contained" on May 2, ShinyHunters apparently still had access. On May 7, they proved it publicly - defacing Canvas login portals at hundreds of institutions with a ransom message that read, per Ars Technica: "ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it, they ignored us and did some 'security patches.'" The deadline for Instructure and individual schools to pay: May 12. Instructure confirmed the attackers exploited a vulnerability tied to Free-for-Teacher accounts - and has since permanently shut that account type down. What data was actually stolen? This is the question every parent deserves a straight answer to. According to Instructure's official statements, the confirmed stolen data includes: * Names * Email addresses * Student ID numbers * Messages between users The company says it has found "no evidence that passwords, dates of birth, government identifiers, or financial information were involved." That's the good news. The less reassuring part: ShinyHunters claims the haul includes data from 275 million people across 8,800 to 9,000 schools, and Krebs on Security notes the group claims it includes several billion private messages between students and teachers. As Arctic Wolf CISO Adam Marrè told The Record: "The biggest risk after incidents like this is not instant identity theft but scams that surface weeks or months later and appear legitimate." That's the real threat to watch for - highly personalized phishing that references your child's actual school, teachers, or course names. The disruption to schools was real and widespread. The timing couldn't have been more deliberately cruel. The Record confirmed outages and warnings to students from schools including Baylor, the University of Texas, Penn, Iowa State, Duke, the University of Oklahoma, the University of Florida, Northwestern, Princeton, and Ohio State - plus numerous K-12 districts. Ars Technica reports the University of Illinois postponed all finals scheduled for Friday through Sunday, and the University of Massachusetts Dartmouth rescheduled or extended exam deadlines. 6 steps parents and students should take right now. ZDNet's breakdown lays out practical action items that Computer Works'd echo and expand on for families in its area: * Check your school's communication channels. Schools are the first line of notification here - check your institution's website, email, and app for guidance specific to your district. * Change your Canvas password immediately - and any other account where you use the same password. A password manager can generate strong, unique passwords and alert you to future leaks. Don't reuse passwords across school, email, and banking accounts. * Enable two-factor or multi-factor authentication (2FA/MFA) on your Canvas account and any linked accounts. This is the single most effective thing you can do to prevent unauthorized access even if credentials are exposed. * Monitor Have I Been Pwned. It's free at haveibeenpwned.com. The Canvas data may not be indexed there yet, but it's worth bookmarking and checking periodically with any email address associated with the account. * Watch your inbox carefully. Instructure should notify affected users directly - but so might scammers pretending to be Instructure or your school. Look for strange grammar, spoofed sender addresses, or requests to click unfamiliar links. When in doubt, verify through a separate channel. * Keep an eye on financial and credit activity as children get older. Even if no financial data was confirmed stolen now, names and student IDs can be combined with other breached data over time. As Malwarebytes recommends, monitoring credit activity is a smart long-term habit for any student whose data may have been exposed. What schools and administrators should do. Instructure itself has recommended that institutions enforce MFA on privileged accounts, review admin access, and rotate API tokens and keys. Beyond that, Malwarebytes advises schools to review their single sign-on (SSO) integrations - because a breach of a platform like Canvas can cascade through any service that trusts its authentication. Schools should also prepare clear, proactive communication templates so that if defacements or data leaks happen again, staff, parents, and students aren't left guessing. Instructure has confirmed it notified the FBI and CISA, and has brought in external cybersecurity experts. The FBI declined to comment, and CISA did not respond to The Record's inquiry. The bigger picture. This breach follows the 2025 PowerSchool incident, in which Ars Technica reported a breach exposed data from 60 million students at 16,000 K-12 schools worldwide. Education technology platforms represent exactly the kind of high-leverage target that groups like ShinyHunters seek out: breach one vendor, pressure thousands of institutions at once. Charles Carmakal, CTO at Google-owned Mandiant Consulting, confirmed to Krebs on Security that "there are multiple concurrent and discrete ShinyHunters intrusion and extortion campaigns happening right now." For Yuba City families and school staff navigating this, the core message is: the platform is back up, but the underlying data is still out there. The risk isn't necessarily today - it's the convincing phishing email that shows up in three months referencing your child's real teacher by name. If you're unsure whether your devices or accounts are properly protected, or if you want help setting up a password manager or enabling MFA, Computer Works is happy to walk you through it at Computer Works. Its membership plan also includes real-time protection and safe browsing tools that can help catch phishing attempts before they become a problem. Stay cautious, keep your software updated, and don't trust any Canvas-related email that asks you to click a link - no matter how official it looks. Related local service Worried this could be malware? If your computer has pop-ups, redirects, suspicious downloads, or ransomware warnings, start with its local virus removal page. cybersecurity small-business-it vulnerability web-security patch-management

Cyberattack leaves Canvas inaccessible at DPHS. Nam-Anh Lê, Reporter - May 7, 2026 Instructure, the vendor that provides Canvas, experienced an outage this afternoon. The learning management system was reportedly infiltrated by cybercriminal group ShinyHunters, according to The Harvard Crimson. "This is a vendor-level action and is not due to any disruption within district systems," said Rob Cooper, IT director at the Santa Barbara Unified School District in an email to district staff. Dos Pueblos High School students, staff, and parents will be temporarily unable to access Canvas, which is used to keep track of assignments, grades, tests, and messages from teachers. As Instructure is currently working to resolve the issue, no action is required by staff or students, according to Cooper. "We will continue to monitor the situation and provide updates as needed," Cooper wrote in the email. Students are currently unable to turn in their school assignments due to the outage, but several teachers have made accommodations. "It's a bit frustrating because I can't turn in my assignments, and it happened as I was attempting to turn in my English assignment in class," Reagan Widroe (12) said. "I think [my English teacher] said that she would accept it if we turned it in later because of the issues. But fingers crossed that nothing goes wrong." ShinyHunters has been involved in numerous cybercrimes since 2019. They are most notably known for data breaches, in which they threaten to leak or sell data on the dark web unless a ransom is paid by the victim company. The group reportedly set a May 12, 2026, deadline for schools to "negotiate a settlement" before "everything is leaked." "[ShinyHunters' actions are] concerning, and that's exactly what I expected the people who did this to be up to, because Canvas has a lot of information about students on it," Widroe said. "I would hope that there's stuff being done about that, and maybe safeguards in the future."

Hackers steal students' data during breach at education tech giant Instructure. Published by itjadmin at May 5, 2026 Education tech giant Instructure has confirmed a data breach affecting students' private information. The hacking and extortion gang ShinyHunters claimed responsibility for the breach. The hackers claim to have stolen students' names, their personal email addresses, and messages sent between teachers and students - the same type of data Instructure admitted was stolen. Instructure is the latest corporate giant hacked by the ShinyHunters gang. The cybercriminals have targeted universities and cloud database companies in recent months, in efforts to steal vast amounts of people's personal information and threaten to post the data online if the companies do not pay the hackers' ransom. A member of ShinyHunters shared a sample of the stolen data with TechCrunch, which included data from two schools in the United States, one in Massachusetts and one in Tennessee. In the case of the one in Massachusetts, the data included messages, which contain names, email addresses, and some phone numbers. As for the school in Tennessee, the sample included students' full names and email addresses. The sample did not contain passwords or the other types of data that Instructure said was unaffected by the breach. TechCrunch is not naming the schools as they are not confirmed victims. Based on information that appears on their websites, both schools appear to use Instructure's platform Canvas, which allows customers to manage coursework, assignments, and communicate with students. ShinyHunters also shared a list of about 8,800 schools allegedly affected by the breach. TechCrunch could not confirm whether all the listed institutions were affected, nor whether they are Instructure customers. On its official site, Instructure says it has more than 8,000 institutions as customers. When reached by TechCrunch, Instructure's spokesperson Kate Holmes did not answer several questions about the incident, and instead referred to the company's official page where it is publishing updates on the breach. On its data leak site, where ShinyHunters claims responsibility for data breaches and attempts to pressure victims into paying a ransom, the hackers claim the breach affected close to 9,000 schools around the world, and 275 million people's data, including students, teachers, and other staff. In an online chat, the ShinyHunters member told TechCrunch that the total unique emails that are included in the stolen data amount to 231 million. Financially motivated hacking groups are known to exaggerate their claims to gather the attention of the media, as well as their victims. As of Tuesday, Instructure said some of its products, such as Canvas, were restored for customers after undergoing maintenance. When you purchase through links in its articles, Itjockies may earn a small commission. This doesn't affect its editorial independence.