News

Millions of users’ data taken for ransom in Canvas breach

Adriana Monsanto, Features Editor | May 22, 2026

Junior Niko Tarbert browses his Canvas dashboard. Students use Canvas to submit assignments, take tests and tune in to announcements.

Across the nation, cursors spun in circles as students and teachers waited on the Canvas (also known as “eCampus” in Seminole County) login page’s familiar red glow. When opening the app to complete one last assignment, a final exam or a club application for next year, nobody expected anything out of the ordinary in their end of year procedures.

So, when users across the world were instead met with the neon red outline of a ransomware message, much of the educational world came to a standstill. Canvas had been hacked.

So, what happens when one of the cornerstones of modern education disappears?

This question was first asked as a hypothetical, on April 29, when Instructure (Canvas’ parent company) first said that it “detected unauthorized activity in Canvas.” No further details were shared for the next two days.

Then, on May 1, Instructure revealed that the platform was hacked, and that user records had been accessed and were being held for ransom.

The perpetrators ended up stealing 3.65 terabytes of data, including names, email addresses, student ID numbers and messages between students and faculty, leaving many of the platform’s 30 million active users concerned about the whereabouts of their sensitive information.

“I’m concerned that if such a large-scale security breach could happen this time, that they could find a means to do it a second time,” junior Niko Tarbert said.

And they did. Though the company stated only less than a week later on May 6 that the application was back to normal, that was not nearly the end of the platform’s complications.

In their May 6 statement, Canvas assured users that there was no evidence that government identifiers, financial information, passwords or dates of birth were tampered with during the breach, but users’ relief only lasted so long.

The hackers breached Canvas again on May 7, and this time the platform’s login page displayed a ransomware message reading: “ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it, they ignored us and did some ‘security patches.’”

Ransomware message displayed in place of the Canvas login page on May 7. The service went offline shortly after (Photo via 404 Media).

In the message, ShinyHunters, a renowned cyber criminal group, mandated a ransom payment deadline of May 12 before “everything is leaked” and prompted readers to visit a link to “negotiate a settlement” if they were on the “affected list” of schools.

“It was basically part of their pressure tactic, giving proof of the breach and directing victims into negotiating the ransom,” SCPS Network Specialist Michael Siudak said.

Instructure proceeded to take Canvas offline. Most users regained access on the evening of May 8.

“The county removed eCampus from [the] Clever [portal] and stopped syncing [grades] to Skyward so that if anyone was in our eCampus account, they couldn’t get to Skyward, which actually has the important information,” Siudak said.

The breach inconvenienced both students and teachers. One of the main issues was the disruption of Canvas’ grade syncing feature, which makes it possible to sync the Canvas and Skyward gradebooks.

“I [had] to spend a good amount of hours redoing all the grades because of that,” art teacher Beverly Sanchez said. “I had to re-input all of my grades onto Skyward and [my students] kept asking me, ‘Is my grade updated?’”

Schools across the world faced similar problems, especially a large portion of higher education institutions in the United States, as it is estimated that 41% of these colleges and universities use Canvas. The outage led to thousands of assignment extensions and other disruptions to students’ learning.

Though the outage occurred before exams officially began in Seminole County, other schools were not as lucky, with colleges and universities across the nation extending due dates and postponing exams.

Instructure claimed that they had received proof that all tampered information had been destroyed by ShinyHunters when they reached an agreement with “the unauthorized actor” on May 11. Though it has not been officially disclosed, experts estimate that Instructure paid $10 million in exchange for the destruction of the sensitive information.

However, many professionals claim that it is unlikely that users’ information is truly safe. In the past, ShinyHunters specifically, in addition to many other cyber criminal organizations, is known for not being thorough in their destruction of information.

In a press release from Halcyon, Johnny Collins, the Director of Intelligence Operations at Halcyon’s Ransomware Research Center, said that the “intermediaries or transfers [of data] in between are rarely cleaned up”, meaning the data may not be entirely wiped from their systems.

Either way, most sensitive information in the Seminole County Public School system is stored in Skyward, which remained secure throughout the entire breach.

“Luckily, the hackers never got any sensitive information,” Principal Robert Frasca said. “I know our district does a really good job of protecting our data, so [for that] I’m thankful.”

209 Views

Donate to The BluePrint Online

$460

$500

Contributed

Our Goal

Your donation will support the student journalists of Hagerty High School. We are an ad-free publication, and your contribution helps us publish six issues of the BluePrint and cover our annual website hosting costs. Thank you so much!

About the Contributor

Adriana Monsanto, Features Editor

Adriana Monsanto is a junior and our Features Editor on staff! In her spare time, she enjoys doing her makeup and listening to music.