The Canvas data breach story has continued to develop over the weekend, and as the May 12 ransom deadline approaches on Tuesday, several new details have come out that change the picture for affected schools, parents, and businesses. The FBI is now actively involved. The attackers have started going around Instructure and trying to extort individual students. And the criminal group’s listing on its public leak site has quietly disappeared – a behavior that, in their pattern of operation, usually means negotiations have started.

If you’re catching up for the first time, here’s the full picture.

The Story So Far

Instructure, the company that owns Canvas, has been hit twice in two weeks by a criminal extortion group called ShinyHunters. Canvas is the learning management system used by every public and charter K-12 school in North Carolina, by the UNC system, by NC State, by Duke, by our community colleges, and by thousands of institutions worldwide. About 30 million active users rely on it globally.

The timeline:

• April 25 – Attackers got into Instructure’s systems.
• April 29 – Instructure detected the intrusion and revoked the attackers’ access. By then, names, email addresses, student ID numbers, and messages exchanged between students, teachers, and staff had been stolen.
• April 30 – May 3 – Public disclosure. ShinyHunters claimed responsibility on May 3, listed Instructure on their dark web leak site, and demanded payment under threat of leaking the stolen data.
• May 5 – Wake County Public Schools notified parents.
• May 6 – Charlotte-Mecklenburg Schools, Cabarrus County Schools, and other NC districts began notifying their communities. First ransom deadline expired.
• May 7 – The attackers struck Instructure again. They defaced the Canvas login page across hundreds of institutions, replacing the normal login screen with a ransom message that real students and faculty saw. The message read, in part: “ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some ‘security patches.’ Instructure didn’t fix all the vulnerabilities, we have more.”
• May 7-8 – Instructure took Canvas offline, replaced the ransom message with a “scheduled maintenance” notice, and worked to restore service. Most users had access back by Friday morning. The cause was later confirmed to be a vulnerability tied to Instructure’s Free-For-Teacher account system.
• May 12 – The current ransom deadline. ShinyHunters has stated that all stolen data will be leaked publicly if they aren’t paid by the end of the day Tuesday.

Per Instructure’s own confirmation, the stolen data includes names, email addresses, student ID numbers, and messages exchanged between Canvas users. The company says passwords, dates of birth, Social Security numbers, and financial information were not involved. ShinyHunters claims to have 3.65 terabytes of data covering 275 million people across nearly 9,000 institutions, though Instructure has not confirmed those numbers.

NC institutions that have publicly confirmed they were affected so far: Wake County Public Schools, Charlotte-Mecklenburg Schools, Durham Public Schools, Cabarrus County Schools, Cumberland County Schools, Duke University, and multiple UNC system institutions. The North Carolina Department of Public Instruction has also been notified.

Now, here’s what’s new this weekend.

The FBI Is Now Involved

According to a CNN report citing a source familiar with the matter, the FBI has mobilized resources in multiple states to assist victims of the hack. The agency confirmed Friday that it was aware of the platform service disruption and advised concerned students and faculty to wait for official guidance from their schools regarding the scope of the incident and the nature of any affected data.

For parents, this is the formal acknowledgment that federal law enforcement now considers this a significant incident. It’s also a useful signal that real institutional response is happening – even when individual schools may not have shared specific details yet.

More Details on the Defacement: 330 Schools, Free-For-Teacher Vulnerability

Threat intelligence firm Halcyon now estimates that the May 7 defacement reached the Canvas login pages of roughly 330 institutions, not just a handful. That’s the formal count of how many schools saw the criminal ransom note in place of their normal login screen during finals week at many universities.

The line in the ransom note that security professionals are paying particular attention to: “Instructure didn’t fix all the vulnerabilities, we have more.” Whether the attackers actually retain additional unused access into Instructure’s systems, or whether that statement is purely psychological pressure for negotiation, is not yet clear. But Instructure’s own subsequent confirmation that the second attack used a vulnerability tied to its Free-For-Teacher account system – a feature that allows individual teachers to use Canvas independently of a school district subscription – suggests the attackers have spent meaningful time mapping the platform’s surface area.

The Hackers Are Now Extorting Students Directly

Perhaps the most significant development for families: ShinyHunters has pivoted from extorting Instructure to extorting individual schools and individual students. The San Diego Community College District notified its students this weekend that some of them have received direct attempted extortion messages from the threat actors.

This is a meaningful escalation. It means the attackers have moved past the corporate extortion phase and are now using the stolen data to attempt to extort individuals based on the content of their Canvas messages, accounts, or other identifying information that was captured. For a high school or college student who has used Canvas to message a teacher about anything personal – a missed class, a family situation, a sensitive school issue – that content is potentially in criminal hands and may be used to pressure them directly.

If your child or a student in your family receives any message claiming to have their Canvas messages or threatening them with disclosure, do not respond and do not pay. Tell the student to bring the message to a parent, teacher, or counselor immediately. Document everything. Report it to the school’s administration and to local law enforcement, who can route it to the FBI’s ongoing investigation.

Instructure’s Listing Was Pulled From the Leak Site

Late this past week, the Instructure listing was removed from ShinyHunters’ public data leak site. According to Halcyon’s analysis, this matches a documented pattern: the group typically removes entities from its leak site when those entities initiate contact with the attackers. Whether that means an actual ransom payment, an opening negotiation, or just an exchange of communication isn’t publicly known.

ShinyHunters also publicly stated this weekend that they will not be discussing this campaign with the media – another behavior typical when active negotiations are underway.

What this doesn’t mean: that the threat is over. Even if Instructure ultimately pays a ransom, there’s no guarantee the data won’t be released anyway. Security professionals consistently warn that recovery planning should not depend on negotiation outcomes. The data has already been stolen. The genie is out of the bottle regardless of what happens between Instructure and the attackers.

The Bigger Concern: Vishing Campaigns Are Spinning Up

Google’s Mandiant cyber-intelligence team reported earlier this year that ShinyHunters has been increasingly relying on voice phishing – or “vishing” – to harvest credentials before stealing data. The pattern: a phone call to an employee, impersonating IT support or a vendor, designed to trick them into giving up credentials or installing remote-access software. Mandiant noted activity consistent with this pattern increased throughout early 2026.

With student names, school information, teacher names, and class details now in criminal hands, expect a wave of highly targeted phone calls in the coming weeks – not just emails. Calls claiming to be from your child’s school. Calls claiming to be from a teacher. Calls claiming to be from the school’s IT department. Calls referencing real classes, real teachers, and real student names.

The phone is the next attack surface, and small business owners and parents alike need to be ready for it.

What North Carolina Families Should Do Before Tuesday

The May 12 leak deadline is two days away. Whether or not the data ultimately gets released publicly, the criminal use of it has already begun. Here’s the action list for this weekend:

• Change your child’s Canvas password tonight. If they use single sign-on through the school, that may not apply – but if they log in directly, change it. Make it unique. Use a password manager.
• Enable two-factor authentication everywhere it’s offered. Email, school portals, social media, financial accounts.
• Talk to your kids about extortion messages. If they receive any message – by email, text, social media DM, or direct contact – claiming to have their Canvas messages or threatening them with disclosure of school content, they need to come to you immediately. They should not respond, should not engage, and should not delete the message. Take screenshots. Bring it to a parent or trusted adult.
• Prepare for phone-based scams. If you get a call mentioning your child’s school, teacher, class, or any other school-related detail – even if the caller sounds authoritative and knows real information – do not give out any other personal information, do not click any link they send, and do not install anything they tell you to install. Hang up. Call the school directly using a number you trust.
• Be skeptical of “new sign-in detected” alerts. These are particularly weaponized right now. The link always goes to a fake login page. Never click the link. Open the website yourself in a new browser tab and check your account from there.
• Watch for unusual activity on your child’s accounts – logins from unfamiliar devices, password reset emails you didn’t request, messages they didn’t send.
• Document any suspicious contact. If you or your child receive anything that looks like a targeted attempt, save it. Take screenshots. Report it to the school. The FBI’s investigation is active, and this kind of evidence is valuable.

The Pattern Continues, and the Lesson Holds

Every new chapter of this story reinforces the same big-picture point we’ve been making for weeks: your data is only as secure as the third parties you trust with it. Wake County Public Schools, Charlotte-Mecklenburg Schools, Durham Public Schools, Duke University – none of them got hacked. Their vendor did. And now, two weeks later, parents and students are dealing with extortion attempts that no school district could have prevented.

The same pattern applies to every small business in the Triangle. Every cloud platform that holds your customer data, your employee records, your financial information is a potential exposure point. The defense isn’t to stop using cloud services – that’s not realistic. The defense is to know which vendors hold what, how you’d respond if any of them got breached, and how to recognize the wave of personalized phishing, vishing, and extortion that always follows.

How Pendergrass Consulting Helps

This is exactly the kind of risk that small businesses most often have gaps in – because nobody whose job it is to think about these things is on staff. That’s where we come in.

Our managed cybersecurity service for small businesses across the Triangle includes:

• Vendor inventory and risk assessment – so you know what data is sitting where, and what your exposure looks like if any one vendor gets breached
• Account security hardening across the SaaS platforms your business depends on – multi-factor authentication, password policy, admin access reviews
• Security awareness training for employees built around real, current threats – including post-breach phishing campaigns, voice phishing attempts, and the “new sign-in detected” lures that follow every major credential exposure
• Incident response planning so you have a real playbook for what to do if a vendor of yours announces a breach affecting your customer data
• Quarterly reviews where we walk through what we changed, what we found, and what’s coming next

If you’ve never had a real conversation about which vendors hold your business’s data, what you’d do if any of them got breached, or whether your team would recognize a personalized phishing call that referenced real details about your business – that’s what we mean by a comprehensive small business environment review. There’s no charge for the first conversation and no commitment beyond it.

Pendergrass Consulting
Phone: 252-432-3325
Email: Sales@PendergrassConsulting.com
110 S. Massey St., Suite 201, Selma, NC 27576

Pendergrass Consulting is a full-service IT firm based in Selma, NC, serving small businesses and families across the Research Triangle, Raleigh, Cary, Wake County, Johnston County, and nationally for web, hosting, email, cloud backup, cybersecurity, and digital marketing services.