It's a scary message to receive, and I don't know what data will be released.
In the first weeks of May 2026, a criminal hacking group known as ShinyHunters turned the final exam season into a moment of institutional reckoning, breaching Canvas — the learning platform trusted by 9,000 schools and universities across North America and Australia — and demanding ransom in bitcoin while threatening to expose stolen student data. The attack arrived not as an abstraction but as a message on a screen mid-exam, transforming a season of academic culmination into one of uncertainty and loss. It is a reminder that the digital infrastructure quietly holding modern education together remains, for all its reach, deeply fragile — and that those who depend on it most are rarely the ones who built its defenses.
- ShinyHunters infiltrated Instructure's Canvas platform and issued a ransom deadline of May 12, threatening to release stolen institutional and student data if payment in bitcoin was not received.
- The attack struck at the worst possible moment — final exam week — leaving students mid-essay staring at extortion notices and universities scrambling to cancel or postpone assessments across multiple countries.
- Individual students bore the human weight of the breach: one meteorology student lost a 2,900-word exam essay, while a master's student at Northwestern unknowingly triggered the ransom message by clicking what looked like a legitimate university email.
- Universities responded unevenly — some postponing all exams, others simply telling students to log out — while Instructure's claim that Canvas was 'available for most users' by Thursday night rang hollow for institutions still reporting outages the following day.
- The incident landed inside a broader political moment, with Senate Democrat Chuck Schumer urging the Trump administration on the very same day to strengthen cyber defenses against AI-enabled attacks before critical systems fail the people who depend on them.
On a Thursday in early May, students across North America and Australia opened Canvas expecting coursework and exams — and found a ransom note instead. The hacking group ShinyHunters had breached Instructure, Canvas's parent company, and was demanding bitcoin payment by May 12, threatening to release stolen data if ignored. Roughly 9,000 institutions were affected, and the timing was devastating: final exams were underway.
At Mississippi State, a meteorology student named Aubrey Palmer had just finished a 2,900-word exam essay when the extortion message appeared on her screen. Her first instinct was that she personally had been hacked. Around her, dozens of classmates received the same message simultaneously. Mississippi State postponed its Friday exams entirely. Idaho State cancelled all afternoon exams. Penn State and the University of Sydney told students simply not to log in. At Northwestern, a master's student named Jacques Abou-Rizk clicked what appeared to be a legitimate administrator email — and triggered the ransom notice himself. By Friday, he still had no access and had received only a generic message saying the university was 'monitoring an issue.'
The anxiety was not only about lost coursework. Students feared what data might be released about them and what harm that exposure could cause. The University of Chicago disabled its Canvas page after discovering it had been targeted. The Chicago Maroon published screenshots of ShinyHunters' message, which invited universities to negotiate privately to avoid a public data release. Instructure claimed Canvas was restored for most users by late Thursday, but many institutions remained offline into Friday.
ShinyHunters was no stranger to high-profile attacks — the group had been linked to a damaging breach of Jaguar Land Rover the previous year. A cybersecurity analyst confirmed the group had begun targeting Canvas the prior Sunday, with staggered extortion deadlines. On the same day the attacks peaked, Senator Chuck Schumer wrote to the Trump administration urging stronger defenses against AI-enabled cyber threats. The Canvas breach made his warning feel less like foresight and more like a description of something already unfolding.
On a Thursday in early May, students across North America and Australia logged into Canvas, the learning platform they relied on for coursework and exams, only to find a message waiting for them: their institution had been breached. The hacking group ShinyHunters had infiltrated Instructure, the company that owns Canvas, and was now demanding ransom in bitcoin, threatening to release stolen data if payment didn't arrive by May 12.
The scope was staggering. By Friday, roughly 9,000 schools and universities worldwide were offline or severely degraded. The timing could hardly have been worse. Universities were in the thick of final exams—the academic moment when everything students had worked for that semester came due. At Mississippi State University, a meteorology student named Aubrey Palmer had just finished typing a 2,900-word exam essay when the ransom note materialized on her screen. "My knee-jerk reaction was that I'd been hacked myself," she recalled. But as she read further, she realized the breach was institutional, not personal. Around her, dozens of other students in the same room received the identical message. The initial panic gave way to a different kind of dread: uncertainty about whether their work had been saved at all.
Universities scrambled to respond. Mississippi State postponed Friday's final exams outright, giving students time to recover lost work and regain their footing. Idaho State cancelled all exams scheduled after noon. Penn State told students that no one had access to Canvas and that a fix was unlikely within 24 hours, so it cancelled exams for Thursday and Friday. The University of Sydney informed its students simply not to log in. The University of British Columbia warned students to log out immediately. At Northwestern University, a master's student named Jacques Abou-Rizk had clicked what appeared to be a legitimate email from a university administrator, only to trigger the ransom message. "It's a scary message to receive," he said. By Friday, he still couldn't access Canvas and had heard nothing further from the university beyond a generic email saying they were "monitoring an issue."
The human cost rippled outward in waves of frustration and anxiety. Palmer said she was furious at the prospect of redoing her exam. Abou-Rizk spoke of the dread that came not just from being locked out of his coursework, but from not knowing what data might be released about him or what threat that exposure might pose. Students at UCLA struggled to submit assignments. The University of Chicago temporarily disabled its Canvas page after discovering it had been targeted. The Chicago Maroon, the university's student newspaper, published screenshots of ShinyHunters' extortion message, which urged the university to contact the group privately to "negotiate a settlement" and avoid "the release of their data."
By late Thursday, Instructure posted an update saying Canvas was "available for most users," but the claim rang hollow for many institutions still reporting outages on Friday. A threat analyst at the cybersecurity firm Emisoft, Luke Connolly, told the Associated Press that ShinyHunters had begun targeting Canvas on Sunday, with extortion deadlines set for Thursday and May 12. The group had not disclosed what it intended to do with the data it claimed to have stolen. ShinyHunters was not a new player in the criminal landscape—the group had been linked to a major and economically damaging hack on Jaguar Land Rover the previous year.
The breach arrived at a moment of heightened concern about cyber vulnerabilities in American infrastructure. On the same day the attacks hit, Chuck Schumer, the top Senate Democrat, sent a letter to the Trump administration urging stronger defenses against cyber risks in an age of rapidly advancing artificial intelligence. "Before Americans are hit with outages, disruptions, and attacks that could put lives and livelihoods at risk," he wrote. The Canvas incident seemed to underscore his point with brutal clarity: critical systems that millions of people depended on—in this case, the educational infrastructure supporting 9,000 institutions—remained exposed to determined attackers willing to hold data hostage.
Citas Notables
My knee-jerk reaction was that I'd been hacked myself, because that's what it looked like. But then I actually read the ransom note and saw it was Canvas that had been hacked.— Aubrey Palmer, meteorology student at Mississippi State University
There's definitely anxiety surrounding not only being able to complete my work and access the sites that I need access to on Canvas, but also just not knowing exactly what the threat is and how it might affect me.— Jacques Abou-Rizk, Northwestern University master's student
La Conversación del Hearth Otra perspectiva de la historia
Why does timing matter so much here? It's a cyber attack—couldn't it have happened in September just as easily?
Because in May, students are taking final exams. Their entire semester's grade often hinges on that week. You can't reschedule a student's anxiety or their need to prove they learned something. The attack hit at the moment of maximum vulnerability and maximum consequence.
Did the universities handle this well?
They did what they could under impossible circumstances. Mississippi State postponed exams, which was the right call. But some universities just sent generic emails saying they were "monitoring" the situation. If you're a student, that's not reassuring. You want to know what happens to your grade, your data, your future.
What's the real threat here—the lost work or the stolen data?
Both, but differently. The lost work is immediate and fixable, if painful. The stolen data is the thing that keeps you up at night. A student doesn't know what information ShinyHunters has. Social security numbers? Financial aid information? Medical records? The ransom note doesn't say. That uncertainty is its own kind of harm.
Has ShinyHunters done this before?
Yes. They hit Jaguar Land Rover last year and caused significant economic damage. This is a group that knows how to extract value from breaches. They're not amateurs.
What happens if universities don't pay?
That's the question no one can answer yet. ShinyHunters says it will release the data. Whether it actually does, whether the data is as comprehensive as they claim, whether they'll sell it or publish it—all of that remains unknown. The threat is real, but the follow-through is still uncertain.