University of Oxford Reports Data Breach in CareerConnect Platform The University of Oxford has disclosed a data breach affecting its CareerConnect platform, a third-party service managed by Group GTI. The incident, detected on May 28, exposed users' first names, last names, email addresses, and encrypted passwords for those not using Single Sign-On (SSO). Passwords set locally on the platform have since been invalidated, requiring affected users to reset them. According to Group GTI, the breach appears to have been carried out to harvest credentials for phishing campaigns, though no evidence suggests that course details, uploaded files, appointment records, or financial data were accessed. This marks the second breach involving Oxford this year, following a May attack on Instructure’s Canvas learning management system by the ShinyHunters extortion gang, which compromised usernames, email addresses, messages, and course information. Oxford has confirmed that its internal systems remained secure in both incidents. Users of the CareerConnect platform have been advised to remain cautious of phishing or scam attempts leveraging the exposed data. The university continues to investigate the breach in coordination with Group GTI.

North Carolina Schools Recover from Statewide Canvas Cyberattack A ransomware attack on Instructure’s Canvas, the learning management system used by North Carolina’s public schools, disrupted operations for thousands of students and educators in early May. The incident, claimed by the ShinyHunters hacking group, led to a temporary statewide shutdown of the platform after unauthorized access was detected on April 29. The hackers initially breached Canvas through a Free-For-Teacher account, exfiltrating data tables containing student and staff names and school-assigned email addresses. A second intrusion occurred on May 7, when the attackers exploited a separate vulnerability to alter login pages, though Instructure disabled the attack within 10 minutes, preventing further data access. While the hackers claimed to have stolen data from 275 million users across nearly 9,000 schools, including private communications, officials stated that no passwords, Social Security numbers, financial information, or other sensitive personal data were compromised. The North Carolina Department of Public Instruction (NCDPI) suspended Canvas access statewide upon discovering the breach, working with cybersecurity firm CrowdStrike to assess the damage. By May 9, Instructure confirmed the system was fully restored, and NCDPI reinstated statewide connectivity on May 11 at 4 p.m. In a deal with ShinyHunters, the stolen data was returned, and duplicates were destroyed. Local districts, including Bladen County Schools, emphasized that no district-wide password resets were required but urged users to monitor accounts for potential phishing attempts, as exposed email addresses could be targeted. State Superintendent Maurice Green acknowledged the timing of the attack during final exams and graduations as particularly disruptive for students and educators. Instructure reported that no ongoing signs of compromise remained, though the incident highlighted vulnerabilities in widely used educational platforms. The breach affected over 8,000 schools and 30 million users nationwide.

FBI Warns of ShinyHunters Extortion After Instructure Ransom Payment On 15 May 2026, the FBI’s Internet Crime Complaint Center (IC3) issued an advisory regarding the ShinyHunters extortion gang, which breached an unnamed online Learning Management System (LMS) widely used by U.S. educational institutions. While the FBI did not explicitly identify the platform, cybersecurity reports confirmed the target as Canvas, operated by Instructure. The breach came to light after Instructure quietly confirmed on 12 May that it had reached a ransom agreement with the attackers. ShinyHunters provided "digital confirmation of data destruction" a claim met with skepticism, as ransom payments do not guarantee criminals will honor their promises. The FBI’s advisory underscored the risks, warning that stolen data including personal information, student IDs, and private communications could still be exploited. ShinyHunters, known for aggressive extortion tactics, has previously targeted organizations like Ticketmaster, Harvard, Princeton, and McGraw Hill. The group often employs harassment, swatting, and spearphishing to pressure victims, using stolen details to craft convincing fraudulent messages. The FBI advised affected individuals to avoid engaging with extortionists and await official guidance from their institutions. The incident highlights broader concerns: ransom payments incentivize further attacks, and educational platforms remain prime targets. While there is no confirmation that ShinyHunters will misuse the stolen data, the FBI urged vigilance, noting that defensive measures such as multi-factor authentication and skepticism toward unsolicited messages are critical. The breach serves as a reminder that even after a ransom is paid, the threat of exploitation persists.

Cyberattack Disrupts Canvas Learning Platform for McHenry County Schools A cyberattack this week targeted Canvas, an online learning management system used by multiple McHenry County, Illinois school districts and McHenry County College, causing temporary outages and exposing student and staff data. Woodstock School District 200 confirmed that Instructure, Inc., Canvas’s parent company, notified them of a data breach allowing unauthorized access to certain system information. The exposed data may have included student names, email addresses, student ID numbers, and Canvas messages, though passwords, dates of birth, government identifiers, and financial details were reportedly not compromised. The district’s security measures including two-factor authentication, restricted external email access, and automated access controls remain in place, with ongoing consultations with cybersecurity experts to strengthen defenses. Community High School District 155 also reported that Instructure detected a cybersecurity incident in late April, with unauthorized access leading to the potential exposure of similar data. Like District 200, District 155 stated there was no evidence of misuse and that the vulnerability had been addressed. Both districts advised monitoring for suspicious communications while assuring families that student and staff data security remains a priority. McHenry County College did not respond to requests for comment. Meanwhile, several other local districts including McHenry 156, Crystal Lake 47, Harvard 50, Marengo 154, Marengo-Union 165, and Huntley 158 confirmed they do not use Canvas. Johnsburg School District 12 acknowledged a teacher had previously used the free version but stated it had not been active in the past six months and was not affected by the breach. The incident highlights the growing cybersecurity risks facing educational institutions reliant on digital learning platforms.

Cyberattack Disrupts Canvas Learning System at Canadian Universities On May 8, 2026, Georgia Tech’s IT department alerted students, faculty, and staff to a cybersecurity breach affecting its Canvas learning management system, which is widely used for assignments and grading. The incident was part of a broader disruption impacting universities across Canada, including the University of Alberta, which confirmed it had been affected but remained uncertain about the full scope of the breach. Canvas, a platform utilized by thousands of schools globally, temporarily went offline due to the attack, disrupting academic activities. While the system has since been restored, the incident highlights ongoing vulnerabilities in educational technology infrastructure. No details on the attackers’ identity or the specific nature of the breach have been disclosed. The event underscores the growing threat of cyberattacks targeting critical digital tools in higher education.

Cybersecurity Incident Disrupts California State University Systems, Linked to ShinyHunters The California State University (CSU) Chancellor’s Office confirmed a cybersecurity incident affecting its campuses, including CSU Bakersfield (CSUB), involving Canvas, a third-party learning management system (LMS) used across the university system. The breach was first reported on [date not specified], with officials stating they are actively investigating the scope and impact of the attack. CSU emphasized its commitment to safeguarding student and employee data, though details on potential data exposure remain unclear. Updates will be provided as the investigation progresses. The incident appears to extend beyond CSU, with reports indicating the Kern High School District (KHSD) was also targeted. A photo shared by an Eyewitness News viewer showed a device displaying a claim of responsibility by the hacker group ShinyHunters, known for high-profile data breaches. Outreach to Bakersfield College and KHSD for confirmation of their involvement is ongoing. The attack highlights growing risks to educational institutions relying on third-party platforms, with further developments expected.

Charlotte-Mecklenburg Schools Reports Data Breach Affecting Canvas Portal Charlotte-Mecklenburg Schools (CMS) in North Carolina has disclosed a data breach involving Canvas, a third-party online learning platform used by teachers to post assignments. The district confirmed that the incident may have exposed some personal information but emphasized that CMS’s internal systems remained unaffected. The breach was identified and contained by Instructure, the company behind Canvas, which stated that the portal remains fully operational. While details on the scope of the exposed data have not been fully disclosed, CMS is investigating the incident to determine the extent of the impact on students and staff. The breach highlights ongoing risks associated with third-party educational platforms, particularly as schools increasingly rely on digital tools for remote and hybrid learning. Further updates are expected as the investigation progresses.

Utah Schools Hit by Widespread Canvas Software Data Breach Utah parents are being notified by school districts following a cyberattack on Canvas, a widely used educational software platform. The breach has impacted schools across the state, though specific details on the scope and nature of the exposed data remain unclear. The incident highlights growing cybersecurity risks in the education sector, where digital learning tools have become essential. While no official timeline for the attack has been disclosed, the breach underscores the need for heightened security measures in school systems handling sensitive student information. In a separate but related trend, Utah residents lost over $2.5 million to scams in 2025, according to AARP, with older adults frequently targeted. Common schemes include phishing, fraudulent tech support, and impersonation scams. Meanwhile, the Box Elder County Commission continues to review the proposed MIDA Stratos Project Area, a new data center development, after delaying action to assess public input and additional information. Discussions on the project can be viewed live, reflecting ongoing debates over infrastructure expansion in the region.

Cybersecurity Breach Disrupts Canvas Learning Platform Across U.S. Schools and Universities A widespread cybersecurity incident has disrupted Canvas, the widely used online learning management system, affecting schools, universities, and students nationwide including multiple institutions in Oklahoma. The outage, which began this week, has rendered both the web and mobile versions of Canvas inaccessible, preventing students from accessing assignments, quizzes, and exams. The University of Oklahoma (OU) confirmed the breach in an automated email to students, acknowledging a "global issue" impacting institutions worldwide. OU stated it is working with Instructure, Canvas’s parent company, to monitor the situation and gather details. Oklahoma State University (OSU) also reported the disruption, with Associate Director of Media Relations Mack Burke confirming that no timeline for restoration has been provided. Social media posts show Canvas displaying a black-and-white error notice, though the authenticity of these images remains unverified. The breach extends beyond higher education, with Edmond Public Schools notifying parents that their systems are also affected. The district stated there is no estimated recovery time, but updates will be shared as they become available. The incident coincides with a critical academic period, as students prepare for final exams and end-of-semester coursework, amplifying the disruption’s impact. Authorities and institutions continue to assess the scope and origin of the breach.

UC Berkeley Hit by Global Cyberattack, Disrupting Learning Platforms Ahead of Finals UC Berkeley officials issued an urgent warning to students and faculty on Thursday after a cyberattack disrupted the university’s learning management system, Canvas. The attack, which appears to be part of a broader campaign affecting institutions worldwide, has forced the university to restrict access to its digital platforms, including bCourses, just days before finals week. In a statement, Vice Provost Oliver M. O’Reilly instructed users to avoid accessing Canvas via any browser or device and to immediately log out if already signed in. While officials are working to restore access and explore alternative solutions, students have been advised to await further instructions from instructors regarding coursework and exams. The extent of the breach remains unclear, but the student-run newspaper The Daily Cal reported receiving a claim from the cybercrime group ShinyHunters, which alleged the theft of hundreds of thousands of records containing student and staff data. No official confirmation of the group’s involvement or the scope of the stolen information has been provided by the university. As of now, UC Berkeley continues to monitor the situation and assess the impact on academic operations. The incident underscores the growing threat of cyberattacks on educational institutions, particularly during critical periods like exam season.

Fresno State Hit by Nationwide Cyberattack Fresno State University was among the institutions impacted by a recent nationwide cyberattack targeting higher education. The incident, which disrupted operations at multiple colleges and universities, highlights growing cybersecurity threats in the academic sector. Details remain limited, but the attack underscores the vulnerability of educational institutions to ransomware, data breaches, and other malicious activities. Fresno State has not disclosed the extent of the breach or whether sensitive data was compromised. The timing and scope of the attack align with a broader trend of cybercriminals increasingly targeting organizations with critical infrastructure or large datasets. As investigations continue, the incident serves as a reminder of the persistent risks faced by universities, which often store vast amounts of personal and research data. No specific threat actor has been identified, but similar attacks have been linked to ransomware groups seeking financial gain or disruption. Further updates are expected as authorities and affected institutions assess the full impact.

Global Cyberattack Disrupts New Zealand Universities, Exposes Student Data A widespread cyberattack targeting Instructure, the third-party provider behind the Canvas learning platform, has left thousands of students and staff across New Zealand unable to access course materials, submit assignments, or communicate with tutors. The breach, which also impacted U.S. universities including Harvard and Stanford, has raised concerns over the exposure of sensitive student data. ### Key Details of the Incident - Who was affected? Universities in New Zealand including the University of Auckland, AUT, and Victoria University of Wellington as well as institutions in the U.S. reported disruptions. - What was compromised? While universities confirmed their own systems remained secure, the breach exposed names, email addresses, student ID numbers, and private messages exchanged on Canvas. No passwords or assessment data were reportedly accessed. - When did it happen? The attack surfaced on Thursday (May 9), with universities scrambling to implement workarounds by Friday (May 10). - Why did it happen? The hacking group behind the attack claimed Instructure had previously ignored their demands, prompting the breach. They threatened to release stolen data by May 12 unless affected institutions negotiated a settlement. ### Impact on Students and Institutions - Disrupted learning: Students like Tyler Jones from the University of Auckland faced delays in accessing lectures, readings, and assignment materials, with some assessments canceled or extended. - Privacy concerns: While many students dismissed the risks, experts warned that exposed messages could contain sensitive personal information. - University responses: AUT and the University of Auckland advised staff to log out of Canvas and assured extensions for affected assignments. AUT confirmed no submissions would be required while the platform was down. ### Global Reach of the Attack Canvas is used by 9,000 education systems worldwide, making this one of the largest recent cyber incidents targeting academic institutions. The hackers’ message, visible to users attempting to log in, accused Instructure of failing to address prior vulnerabilities, escalating the breach into a ransom-style extortion attempt. The full extent of the data exposure and the hackers’ next moves remain unclear as institutions assess the fallout.

Global Cyberattack Disrupts Learning Platforms at New Zealand and U.S. Universities A widespread cyberattack has compromised Canvas, a widely used online learning platform, affecting universities in New Zealand and the U.S., including the University of Auckland, Auckland University of Technology (AUT), Harvard, and Stanford. The breach, attributed to a hacking group targeting Instructure, Canvas’s parent company, exposed names, email addresses, student ID numbers, and private messages between users. The attack forced Canvas offline, prompting universities to implement urgent workarounds to mitigate disruptions to teaching and assessments. While no passwords, sign-on credentials, or student assessment data were reportedly compromised, the hackers left a message in the system, demanding schools contact them by May 12 to negotiate a settlement or risk public data leaks. The group claimed Instructure had previously ignored their warnings and applied only superficial security fixes. At AUT, staff were instructed to log out of Canvas, and students were granted assessment extensions while the platform remained inaccessible. The University of Auckland confirmed its internal systems were unaffected but acknowledged potential adjustments to academic deadlines. Canvas is used by over 9,000 education systems worldwide, underscoring the scale of the incident. The breach highlights vulnerabilities in third-party education platforms and the growing threat of ransom-driven cyberattacks targeting academic institutions.

Cybersecurity Incident Impacts Instructure, Potential UNR Data Exposure Under Investigation The University of Nevada, Reno (UNR) disclosed a cybersecurity incident involving Instructure, the vendor behind the Canvas learning management system. In a statement released Wednesday by UNR President Brian Sandoval, the university confirmed that Instructure experienced a data breach, though it remains unclear whether UNR-specific data was compromised. According to Instructure’s report to the Nevada System of Higher Education (NSHE), exposed information may include names, institutional email addresses, student ID numbers, and private Canvas messages. The company stated that no evidence suggests passwords, dates of birth, government identifiers, or financial data were affected, and the incident has been contained. A forensic investigation is ongoing. UNR is collaborating with NSHE to determine whether its data was impacted and will provide updates as more details emerge. In the interim, the university advised the campus community to remain vigilant against phishing attempts, particularly unsolicited messages requesting login credentials or personal information. Suspicious activity should be reported to [email protected]. The full scope of the breach and its potential impact on UNR users are still under assessment.

Instructure Strikes Deal with Hackers to Delete Stolen Canvas Data Amid Finals Chaos Instructure, the parent company of the widely used online learning platform Canvas, announced it had reached an agreement with hackers to delete data stolen in a recent cyberattack that disrupted students and faculty during critical exam periods. The company confirmed the deal in an online post but did not disclose whether a ransom was paid or identify the threat actors involved. The breach, which forced Instructure to temporarily take Canvas offline, was claimed by the hacking group ShinyHunters. The group initially threatened to leak data from nearly 9,000 schools worldwide and 275 million individuals unless a ransom was paid by May 6. After extending the deadline suggesting negotiations with some institutions the group later provided Instructure with "shred logs" as digital confirmation that the stolen data had been destroyed. Despite the agreement, Instructure acknowledged there was no guarantee the data was permanently erased, stating it acted to mitigate the risk of public exposure. The compromised data included student ID numbers, email addresses, names, and Canvas platform messages, though the company found no evidence of passwords, financial details, or government IDs being accessed. The disruption caused widespread panic as students and faculty were locked out of the platform a critical tool for managing grades, assignments, quizzes, and course materials. Canvas serves as a central hub for instruction, acting as a gradebook, digital lecture repository, discussion board, and submission portal for exams and final projects. Instructure is now working with cybersecurity vendors to conduct a forensic analysis, strengthen its systems, and review the scope of the breach. The incident highlights the vulnerability of educational platforms during high-stakes academic periods.

Tampa Bay Schools and SPC Hit by Canvas LMS Data Breach In early May, cyberattackers compromised student and staff accounts within the Canvas learning management system (LMS), affecting Hillsborough and Pinellas county schools as well as St. Petersburg College (SPC). Officials confirmed that the breach exposed only basic user details, though they urged affected individuals to remain cautious. The incident was first reported by the Tampa Bay Times, which noted that the attack targeted the widely used educational platform. While the full extent of the breach remains unclear, no evidence suggests that sensitive data such as Social Security numbers or financial information was accessed. The affected districts and SPC are continuing to assess the impact and response. The breach highlights ongoing cybersecurity risks in educational institutions, where digital platforms like Canvas serve as critical infrastructure for remote and in-person learning. No further details on the attackers’ motives or methods have been disclosed.

Instructure Confirms Data Breach as ShinyHunters Claims Theft of 275 Million Records U.S.-based edtech provider Instructure, the company behind the widely used Canvas learning management system, has confirmed a cyberattack resulting in the theft of user data. The ShinyHunters extortion group has claimed responsibility, listing Instructure on its data leak site and alleging the exposure of 275 million records tied to students, teachers, and staff across nearly 9,000 schools worldwide. Instructure disclosed the incident on Friday, stating it was working with third-party cybersecurity experts and law enforcement to investigate. An update on Saturday revealed that personally identifiable information (PII) including names, email addresses, student ID numbers, and private user messages was compromised. The company stated that passwords, financial data, dates of birth, and government identifiers were not affected, though it would notify impacted institutions if new evidence emerged. As part of its response, Instructure deployed patches, increased monitoring, and rotated application keys, requiring customers to re-authorize API access with new credentials. While the company has not confirmed the breach timeline or extortion demands, ShinyHunters claimed the attack exploited a now-patched vulnerability in Instructure’s systems. The threat actor’s leak site alleges the stolen data includes 240 million records containing names, email addresses, enrolled courses, and private messages between students and teachers. The dataset reportedly spans 15,000 institutions across North America, Europe, and the Asia-Pacific region, with ShinyHunters also claiming access to Instructure’s Salesforce instance and additional undisclosed data. BleepingComputer has not independently verified the full scope of the breach or the affected institutions. Instructure has not responded to requests for further details on the threat actor’s claims.

Instructure Strikes Deal with ShinyHunters to Prevent Leak of 3.6TB Stolen Data Instructure, the provider of the Canvas learning management system, has negotiated with the ShinyHunters extortion group to prevent the release of data stolen in a recent breach impacting over 30 million educators and students. The cybercriminals claimed responsibility for exfiltrating more than 3.6 terabytes of data by exploiting cross-site scripting (XSS) vulnerabilities in Instructure’s Free-for-Teacher environment. The attack also included defacing Canvas login portals with an extortion message. Instructure confirmed the breach, stating that the vulnerabilities allowed attackers to gain administrative access. While the company reported that the stolen data was returned and confirmed destroyed with no ransom paid the FBI has warned that such agreements do not guarantee data security. This incident follows a separate September 2025 breach, also attributed to ShinyHunters, which targeted Instructure’s Salesforce instance. In response, Instructure has temporarily disabled Free-for-Teacher accounts to address the security flaws and will host a webinar on May 13 to discuss the breach and mitigation efforts. The company has assured users that no further extortion demands will be met.

Pitt County Schools Investigates Data Breach Impacting Canvas Learning Platform Pitt County Schools (PCS) in North Carolina is investigating a data breach affecting Canvas, a widely used learning platform operated by third-party vendor Instructure. The incident was first reported on May 1, when Instructure’s status tool confirmed a cyberattack by a "criminal threat actor." By May 2, the company stated the breach had been contained. The compromised data may include names, email addresses, student ID numbers, and user messages, though Instructure has found no evidence that passwords, dates of birth, government identifiers, or financial information were exposed. Canvas remains operational for both PCS and East Carolina University (ECU), which also uses the platform. ECU notified students and staff on May 3, confirming no immediate action is required but advising caution against phishing attempts referencing the breach. The North Carolina Department of Public Instruction (NCDPI) was informed by Instructure on May 2 that some public school districts and charter schools in the state were impacted. While NCDPI has not yet identified all affected entities, Instructure is contacting districts directly as details emerge. PCS continues to assess the breach’s impact and will provide further updates.

Cyberattack Disrupts Canvas Learning Portal at Major Universities Worldwide Hackers breached Instructure Inc.’s Canvas platform this month, forcing the company to temporarily suspend services for thousands of colleges and universities globally. The attack, detected on May 1, exploited a vulnerability in a teacher-specific account, granting unauthorized access to some of the company’s websites. While much of the service was restored by May 2, affected teacher accounts remain suspended. Canvas, a widely used learning management system, supports critical academic functions, including exams, assignments, and grade tracking. The outage impacted institutions such as Harvard, Princeton, Stanford, Yale, Columbia, the University of Oslo, and Australia’s Adelaide University, disrupting operations for students and faculty. The extent of data exposure remains unclear, though some universities reported potential breaches of user information. Yale warned that names, email addresses, and internal messages may have been accessed, while Stanford flagged possible exposure of student IDs and communications. Rutgers and Baylor noted uncertainty around compromised data, with Baylor cautioning about subsequent phishing attempts targeting students. The cybercrime group ShinyHunters claimed responsibility in a dark web post, though Instructure has not confirmed their involvement. Known for data theft and extortion, the group has previously targeted educational institutions, including a 2023 wave of attacks on Ivy League schools that exposed alumni and student records. Instructure, acquired by private equity firm KKR in a $4.8 billion deal earlier this year, was previously majority-owned by Thoma Bravo. The Salt Lake City-based company, founded in 2008, has not disclosed whether sensitive data was exfiltrated during the incident.

Cyberattacks on Education Sector Evolve: Identity Abuse and SaaS Exploitation Drive Surge in Breaches Cyberattacks targeting educational institutions have shifted from opportunistic ransomware campaigns to sophisticated, identity-driven intrusions leveraging trusted platforms and valid credentials. Recent incidents linked to the threat group ShinyHunters including breaches at Udemy and Instructure (Canvas) highlight a growing trend: attackers no longer breach systems externally but instead operate within them, exploiting SaaS access, federated identities, and operational trust to evade detection. ### Key Trends and Incidents - Rising Threat Volume: Cyber incidents in the education sector surged 63% year-over-year, with 425 reported attacks between November 2024 and October 2025 up from 260 the prior year. Data breaches increased by 73%, while hacktivist activity rose 75% across 67 countries. The UK’s Cyber Security Breaches Survey 2025/2026 found that 98% of universities and 88% of further education colleges experienced a breach in the past 12 months, far exceeding the broader business average. - Udemy Breach (2025): ShinyHunters compromised 1.4 million records, including PII, instructor payout data, and corporate details, after the company refused extortion demands. The leaked data was later indexed by Have I Been Pwned, amplifying downstream phishing and credential-stuffing risks. - Canvas Breach (May 2026): The group exfiltrated 3.65TB of data tied to 275 million students, faculty, and staff across 9,000 schools worldwide. Attackers exploited "Free-for-Teacher" accounts to pivot into the SaaS platform, defacing 330 institution login portals including those of Harvard, Stanford, Columbia, and Rutgers and disrupting operations during critical academic periods. ### Attack Vectors: Identity Debt and SaaS Abuse - Identity Persistence as a Weakness: Educational institutions struggle with "identity debt" accumulated credentials from alumni, shared lab access, and temporary research accounts that persist beyond their intended use. Attackers exploit these valid but unmanaged identities to move laterally without triggering traditional security alerts. - SaaS as the New Intrusion Layer: Once inside, attackers embed themselves in cloud platforms (Microsoft 365, Google Workspace, Canvas) rather than endpoints. Techniques include: - OAuth abuse (e.g., granting Mail.Read or Files.Read.All permissions). - Mailbox manipulation (forwarding rules, suppressed security alerts). - API-driven access to reduce visibility. - Federated Identity Risks: Cross-institution collaboration via federated systems expands the blast radius of a single compromised identity. The Canvas breach demonstrated how a vendor compromise could cascade into sector-wide disruption. ### Operational Shifts in Extortion Tactics - Ransomware’s Decline as a Primary Tool: While ransomware persists, groups like ShinyHunters now prioritize data theft, leak-site pressure, and public exposure over encryption. The Canvas attack coincided with finals season, maximizing reputational and operational damage. - IT Impersonation and Social Engineering: Attackers pose as IT support staff to initiate MFA resets, password changes, or device registrations, exploiting operational trust rather than software vulnerabilities. ### Broader Implications The education sector’s open, collaborative model reliant on shared SaaS platforms, federated identities, and decentralized administration creates systemic vulnerabilities. As attackers refine their methods, the focus has shifted from preventing unauthorized access to detecting abuse of legitimate credentials and mitigating cross-institution propagation. The recent breaches underscore that vendor compromise now equals institutional compromise, with single intrusions capable of disrupting thousands of schools simultaneously.

Instructure Strikes Deal with ShinyHunters to Secure 275 Million Stolen Student Records Instructure, the company behind the Canvas learning platform, has reached an agreement with the hacking group ShinyHunters to prevent the leak of 275 million stolen student and teacher records. The breach, disclosed on 11 May 2026, followed a ransom demand from the hackers, who threatened to release the data unless paid by 12 May 2026. Under the deal, Instructure confirmed that the stolen data was returned, and ShinyHunters provided "shred logs" digital proof of permanent deletion. While the company did not disclose whether a ransom was paid, it assured affected institutions that no further extortion attempts would occur. ShinyHunters later stated that the data was "nonexistent" and that they would no longer target Canvas or its users. The attack unfolded in two phases. On 30 April 2026, ShinyHunters exploited a vulnerability in Canvas’s "Free for Teacher" accounts, gaining access to 3.65 terabytes of data, including names, email addresses, student IDs, course details, and billions of private teacher-student messages. A second attack on 7 May 2026 defaced login pages for 330 schools, displaying ransom notes and disrupting access to exams and assignments. Affected institutions included the University of Colorado and Virginia Tech, forcing Instructure to temporarily shut down services like Canvas Data 2 and Canvas Beta. Instructure’s CEO, Steve Daly, apologized for the disruption, confirming that core academic data such as grades and submitted work remained uncompromised. The company has since disabled the vulnerable "Free for Teacher" accounts while addressing security flaws. While Canvas is now operational, experts caution that deleted data may still exist in hidden copies, posing risks for phishing scams. Investigations into the breach are ongoing.

ShinyHunters Breaches Instructure in Massive Educational Data Theft The cybercriminal group ShinyHunters has carried out one of the largest educational data breaches to date, targeting Instructure, the provider of the Canvas learning management system. The attack, detected on April 29, exploited a vulnerability in Canvas Free for Teacher, a service used by 8,809 institutions worldwide, including K–12 schools and higher education organizations. Instructure responded on May 2 by revoking compromised credentials, deploying security patches, and rotating encryption keys. However, a second wave of activity occurred on May 7, with users reporting extortion messages upon logging in. ShinyHunters claims to have exfiltrated 6.65 terabytes of data, including 275 million records containing names, email addresses, student ID numbers, and private communications between students, teachers, and staff. Instructure’s CISO, Steve Proud, confirmed that no passwords, financial details, or government identifiers were compromised. The group has set a May 12 deadline to negotiate a settlement, threatening to leak the stolen data if demands are not met. The breach underscores the growing targeting of educational institutions by cybercriminals seeking sensitive student and faculty information.

Canvas Breach: Company Pays Shiny Hunters to Delete Stolen Student Data Instructure, the provider of the widely used academic platform Canvas, confirmed it paid a ransom to the cyber extortion group Shiny Hunters to prevent the release of stolen data. The breach, discovered on 29 April 2026, disrupted exams and operations at an estimated 9,000 institutions across the US, Canada, Australia, and the UK, with students like Mississippi State University’s Aubrey Palmer reporting sudden ransom messages mid-exam. Shiny Hunters, an English-speaking group linked to previous attacks on companies like Jaguar Land Rover and Gucci, claimed responsibility and threatened to publish 3.5 terabytes of student and university data unless paid in Bitcoin. While Instructure did not disclose the payment amount, it stated the agreement included "digital confirmation of data destruction" and assured no further extortion of customers. The company emphasized transparency, noting that paying ransomware groups despite law enforcement warnings was necessary to protect student data. However, past cases show hackers often retain stolen data even after payment. Shiny Hunters has a history of targeting organizations, including a prior breach of Instructure in September 2025, and is believed to operate through encrypted chats to negotiate payments. The attack left students scrambling, with some universities postponing exams to recover lost work. Shiny Hunters declined to comment on the disruption caused.

Instructure Pays Ransom to ShinyHunters After Massive Data Breach Affecting 9,000 Schools Instructure, the company behind the widely used Canvas learning management system, confirmed it paid an undisclosed ransom to the cybercriminal group ShinyHunters following a late-April data breach that exposed personal information of over 275 million students, teachers, and staff across nearly 9,000 schools worldwide. The attack, which disrupted access to Canvas including North Carolina’s K-12 public schools, Duke University, and UNC-Chapel Hill triggered a state-mandated shutdown of the platform while Instructure negotiated with the hackers. On April 29, ShinyHunters infiltrated Instructure’s systems, stealing data including usernames, email addresses, course details, and enrollment records. The group issued a ransom demand via a pop-up message in Canvas, setting a May 12 deadline before threatening to leak the stolen data. Instructure announced on May 20 that it had reached an agreement with the hackers, who claimed to return the data and provide "shred logs" as proof of destruction. The company stated that no further extortion attempts would target affected schools, though cybersecurity experts caution that such assurances from criminals are unverifiable. North Carolina’s Department of Public Instruction had temporarily blocked Canvas access for public schools following the breach, restoring it only after Instructure secured the deal. While the state prohibits public agencies from paying ransoms, the restriction does not apply to private companies like Instructure. Critics, including Cliff Steinhauer of the National Cybersecurity Alliance, argue that paying ransoms reinforces the profitability of cyber extortion, potentially encouraging future attacks. The FBI is investigating the incident, which follows a 2025 ransomware attack on PowerSchool another education platform where hackers received approximately $2.85 million in Bitcoin. Instructure emphasized its commitment to hardening its security posture and conducting a forensic review, though the long-term risks of retained or resold data remain a concern. The breach highlights the persistent threat to educational institutions, with ShinyHunters previously linked to attacks on three Ivy League schools in late 2025.

ShinyHunters Claims Major Data Breach of Udemy, Threatens to Leak 1.4M Records On April 24, 2026, the cybercriminal group ShinyHunters announced a data breach targeting Udemy, one of the world’s largest online learning platforms, alleging the theft of over 1.4 million records containing personally identifiable information (PII) and internal corporate data. The group issued a "Pay or Leak" ultimatum, demanding a response from Udemy by April 27, 2026, or risk public exposure of the stolen data. ShinyHunters, a financially motivated extortion group active since 2019, has built a reputation for high-profile breaches, including the 2020 theft of 200 million records from 13 companies. In 2026 alone, the group has intensified attacks on SaaS platforms and the education sector, with recent victims including Vercel, McGraw-Hill, and Harvard University (where 115,000 alumni records were exposed). Google Threat Intelligence tracks the group under the designation UNC6240, noting its shift from traditional network exploitation to social engineering, MFA bypass, and credential harvesting. ShinyHunters often exploits third-party integrations and compromised vendor credentials, as seen in the Vercel breach, where a third-party vendor (Context.ai) served as the entry point. The education sector remains a prime target, with ShinyHunters previously breaching India’s Unacademy, stealing over 10 million user accounts. As of publication, Udemy has not confirmed or denied the breach, and researchers continue monitoring the group’s leak site for potential data release following the deadline. The incident underscores the group’s evolving tactics and persistent focus on high-value targets.

Cyberattack on Canvas Platform Threatens Data of Millions of Students Nationwide The University of Minnesota (U of M) and nearly 8,000 other schools across the U.S. have been impacted by a cyberattack targeting Canvas, an educational software platform used for assignments, exams, grades, and lecture materials. The breach, claimed by the hacking group ShinyHunters, threatens to release the personal data of up to 270 million users unless a ransom is paid by May 12. The attack disrupted access to Canvas on Thursday afternoon, prompting Instructure the parent company to temporarily shut down the platform. While officials state there is no evidence that passwords, Social Security numbers, or financial data were compromised, the hackers allege they breached the system a second time after Instructure applied security patches instead of engaging with their demands. Local school districts and universities, including U of M, have issued alerts to students and parents. U of M’s website confirmed the outage and noted that transcript ordering via Parchment another Instructure-owned service has been suspended as a precaution. The incident coincides with the end of the academic year, with final exams underway and graduations at U of M scheduled for next week. The full scope of the hackers’ demands remains undisclosed.

Cyberattack Disrupts Final Exams at Major U.S. Universities A widespread cyberattack targeting Instructure, the company behind the cloud-based learning platform Canvas, disrupted final exams at thousands of universities across the U.S., including Rutgers, Princeton, and Ramapo in New Jersey. The attack, which began on May 7, forced institutions to cancel or postpone exams scheduled for May 8, leaving students without access to course materials and study resources. The hacking group ShinyHunters claimed responsibility for the breach, which they described as a ransomware attack, and threatened to leak stolen personal data unless demands were met by May 12. Instructure confirmed the outage, stating that Canvas was placed in "maintenance mode" while investigating login issues, though the platform was later restored for most users by late May 7. Universities scrambled to adapt, with administrators working overnight to distribute study materials via Google Drive and other alternatives. Rutgers-New Brunswick announced the postponement of Friday exams, while other affected institutions including Columbia, Harvard, the University of Michigan, and Penn State faced similar disruptions. Canvas, used by over 8,000 institutions and 30 million active users worldwide, serves as a critical tool for course management. ShinyHunters, known for targeting major corporations, previously claimed to have stolen 80 million records from Rockstar Games in April. The incident highlights the growing vulnerability of educational platforms to cyber threats.

Global Cybersecurity Alert: Widespread Canvas Data Breach Disrupts Students During Finals A major data breach in Canvas, the widely used learning management system (LMS), has caused significant disruptions for students worldwide, many of whom were in the midst of final exams. The incident, which surfaced in April 2026, exposed vulnerabilities in the platform, leading to system outages, delayed submissions, and heightened stress for users relying on the service for academic work. While details on the breach’s origin remain limited, reports indicate that the disruption affected institutions globally, with students reporting inaccessible course materials, lost assignments, and communication breakdowns. The timing coinciding with peak exam periods amplified the impact, leaving educators and administrators scrambling to mitigate fallout. Canvas, developed by Instructure, is a critical tool for millions of students and educators, making this breach particularly concerning for the education sector. No official statement on the cause or scope of the breach has been released, but the incident underscores the growing risks of cyber threats targeting essential digital infrastructure. As investigations continue, the event serves as a reminder of the vulnerabilities in widely adopted platforms, especially during high-stakes periods like final exams. Further updates are expected as more information becomes available.

Instructure Investigates Cybersecurity Breach Impacting Canvas LMS Users Instructure, the provider of Canvas one of the world’s leading learning management systems (LMS) has confirmed a cybersecurity incident involving a criminal threat actor. The company is actively investigating the breach with the assistance of external forensics experts to determine its full scope and impact. In a statement, Steve Proud, Instructure’s Chief Information Security Officer (CISO), acknowledged the incident and outlined initial response measures. The company has implemented heightened monitoring across its platforms and reissued certain security keys as a precaution, requiring some users to re-authorize access to affected tools. While there is no evidence the keys were misused, the move aims to mitigate potential risks. Preliminary findings suggest attackers may have accessed or exfiltrated user-identifying data, including full names, email addresses, student ID numbers, and messages. However, Instructure has stated there is no current evidence that more sensitive information such as passwords, dates of birth, government IDs, or financial details was compromised. Should this assessment change, the company has committed to notifying impacted institutions. Proud later confirmed that the incident has been contained and expressed gratitude for users’ patience while investigations continue. The breach reflects a growing trend of cyberattacks targeting educational technology platforms, which store vast amounts of personal data. Recent incidents include PowerSchool’s 2025 extortion attempt and Infinite Campus’s 2026 Salesforce breach, underscoring the sector’s vulnerability to threat actors.

North Carolina Faces Record-Breaking Data Breaches, Including Major Education Sector Attacks North Carolina has seen a surge in data breaches, with the state’s Department of Justice (NCDOJ) reporting 2,349 incidents in 2025 impacting over nine million residents. The majority of these breaches stem from hacking and phishing attacks, with cybercriminals increasingly targeting sensitive data for extortion or resale. A recent breach at Wake County Public Schools highlighted the vulnerability of educational institutions. The district confirmed a cybersecurity incident involving Canvas, a statewide learning management system operated by Instructure, potentially exposing student and staff data. This follows a 2024 attack on PowerSchool, a student information system, where hackers accessed millions of records an incident linked to the lack of multi-factor authentication (MFA). The company reportedly paid a ransom to the attackers. Education remains a prime target, accounting for 155 breaches (7% of the state’s total) in 2025. Experts note that schools store vast amounts of sensitive data but often rely on third-party vendors, making them attractive to attackers. Kimberly Simon, CEO of Growth Office Partners, emphasized that a single breach can compromise thousands of individuals at once. In response, the North Carolina Department of Public Instruction (NCDPI) is seeking $1.1 million in funding for cybersecurity contracts, including phishing simulation training a critical tool, as 70% of attacks originate from phishing. During a recent State Board of Education meeting, Vanessa Wrenn, NCDPI’s chief information officer, stressed the need to address vendor security gaps, while board member Alan Duncan acknowledged past breaches tied to third-party vulnerabilities. The FBI’s 2024 Internet Crime Report further underscores the financial toll, with North Carolinians losing $431.6 million across 25,940 complaints. The agency recommends MFA implementation, network segmentation, regular backups, and timely patching to mitigate risks. Despite these measures, the state’s escalating breach numbers signal an ongoing challenge in securing critical infrastructure.

Cybersecurity Alert: Global Canvas Data Breach Disrupts Students During Finals Prosecutors in the U.S. made headlines this week with the announcement of criminal charges in the 2024 collapse of Baltimore’s Francis Scott Key Bridge, but another incident far less visible yet equally disruptive has sent shockwaves through the education sector. A data breach affecting Canvas, the widely used learning management system (LMS), has compromised student data worldwide, causing chaos for learners already under pressure during final exams. The breach, which came to light in recent days, exposed sensitive information belonging to students across multiple institutions. While details on the scope of the exposed data remain limited, the incident has raised concerns about the security of educational platforms, particularly as reliance on digital learning tools continues to grow. The timing coinciding with peak academic stress has amplified the disruption, leaving students and administrators scrambling to assess the fallout. Canvas, developed by Instructure, is a cornerstone of modern education, used by K-12 schools, universities, and training programs globally. The breach underscores the vulnerabilities in third-party edtech systems, which often handle vast amounts of personal data, including grades, assignments, and communication records. As investigations unfold, the incident serves as a stark reminder of the cybersecurity risks facing critical infrastructure even in sectors not traditionally seen as high-priority targets. No official statement on the breach’s origin or the number of affected users has been released, but the impact is already being felt across campuses. With exams underway, the disruption adds another layer of stress for students already navigating academic deadlines. The long-term consequences including potential identity theft or further exploitation of compromised data remain unclear, but the incident has reignited debates over data protection in education.

Cyberattack Disrupts Canvas Learning System Ahead of Final Exams A cyberattack has targeted the Canvas learning management system (LMS), a platform used by thousands of schools nationwide, just as students prepare for final exams. The incident, which occurred in the lead-up to the critical academic period, has raised concerns about potential disruptions to coursework, grading, and student access. Canvas, developed by Instructure, is widely adopted by K-12 districts and higher education institutions, including the University of Minnesota, for online learning, assignments, and communication. While details on the attack’s origin, scope, and impact remain limited, the timing coinciding with end-of-term assessments has amplified concerns among educators and students. The breach underscores the growing vulnerability of educational technology infrastructure, particularly as reliance on digital platforms increases. Schools and universities are assessing the fallout, though no official statement on data exposure or recovery timelines has been released. The incident serves as a reminder of the critical need for robust cybersecurity measures in academic environments.

ShinyHunters Hacking Group Targets Major Organizations, Including Education Sector The cybercriminal group ShinyHunters, named after the rare "Shiny" Pokémon sought after by players, has emerged as a significant threat since 2020. According to threat intelligence from Ransomware.live, the group has compromised 104 victims across 14 countries, stealing trillions of records. The majority of attacks 73 incidents have targeted U.S.-based organizations, including high-profile names such as Microsoft, Ticketmaster, Google, Cisco, AT&T, McDonald’s, Disney/Hulu, Harvard, and Princeton. One of the group’s most disruptive attacks involved Instructure’s Canvas Learning Management System (LMS), which serves educational institutions. The breach exploited a vulnerability in the Free for Teacher environment, a no-cost version of Canvas that allows independent educators to manage classes. Following the attack, Instructure temporarily disabled the service while conducting a security review. The incident highlights broader risks posed by centralized digital ecosystems and third-party dependencies, demonstrating how modern extortion operations can disrupt critical sectors even beyond education. While technical details remain limited, the attack underscores the growing threat of sophisticated cybercriminal groups targeting both corporate and institutional infrastructure.

Cyberattack Disrupts Canvas Learning System Ahead of School Finals A cyberattack has targeted the Canvas learning management system, a platform used by thousands of schools across North America, just as students prepare for final exams. The incident has raised concerns about potential disruptions to academic operations during a critical period for educators and learners. Canvas, developed by Instructure, is widely adopted by K-12 institutions and universities for coursework, assignments, and grading. While details on the attack’s origin, scope, and impact remain limited, the timing coinciding with the end of the academic year has amplified its significance. Schools relying on the system may face delays in accessing materials, submitting assignments, or processing grades. The attack underscores the growing vulnerability of educational infrastructure to cyber threats, particularly as digital learning platforms become central to academic workflows. No group has claimed responsibility, and it remains unclear whether the incident involved ransomware, data theft, or another form of disruption. Further updates are expected as investigations continue.

Massive Cyberattack Disrupts U.S. Education Sector via Canvas LMS Breach A widespread cyberattack has disrupted universities and K-12 schools nationwide, targeting Instructure, the parent company of Canvas, a widely used learning management system (LMS). The breach has impacted millions of students and faculty, forcing institutions like the University of Illinois and Illinois State University to delay final exams and assignments. The hacking group ShinyHunters has claimed responsibility, threatening to release stolen data unless affected institutions negotiate a settlement. While highly sensitive information such as Social Security numbers and passwords appears uncompromised, exposed data includes names, email addresses, student ID numbers, and private messages, raising concerns about phishing and fraud risks. Cybersecurity experts warn that the breach could lead to targeted scams, as stolen data may be sold to third parties. The hackers have set a May 12 deadline for institutions to respond, though no resolution timeline has been provided. Multiple universities, including Northwestern and the University of Chicago, have confirmed the outage, with some temporarily disabling Canvas access. Instructure is investigating the incident, but schools remain uncertain when services will be restored. The attack highlights vulnerabilities in third-party education platforms, affecting institutions that rely on Canvas for daily coursework and communication.