The Canvas dashboard blinked and then vanished, replaced by a ransom demand that froze everyone mid-scroll. You watched group chats go from sleepy to incendiary in seconds. I’ve written about breaches before, but a hack during finals is its own kind of panic.
Students saw their exam portal hijacked and couldn’t get inside
The dashboard became a ransom note — a red stop sign over finals week. At roughly 4:20 p.m. on Thursday, May 7, thousands of students at schools including The University of Pennsylvania, Virginia Tech and Duke opened Canvas and found a message from the hacker group ShinyHunters instead of their classes.
ShinyHunters claimed an Instructure breach and demanded private contact with a group they called TOX, threatening to leak names, emails, schedules and ID numbers. The attackers posted a list (tracked on sites like ransomware.live) that suggested 275 million users at more than 9,000 schools—every Ivy League included—were affected. Students flooded X (formerly Twitter), Reddit and campus Discords, sharing screenshots and panic.
How did Canvas get hacked?
Short answer: ShinyHunters says they breached Instructure; Instructure logged earlier activity and Canvas briefly showed ‘scheduled maintenance’ as the ransom note disappeared. I follow forensic threads—these attacks often begin with exposed credentials, third-party integrations or a missed patch. Once a foothold exists, attackers move laterally and harvest data.
Universities and Instructure flipped to damage control
Campus IT teams posted terse, buttoned-up statements while students scrambled. Canvas’ message about scheduled maintenance replaced the ransom note by the evening or next morning in many places, and the ShinyHunters extortion listing was later removed.
You can read reporting from student papers—the Daily Pennsylvanian, The Harvard Crimson and The Collegiate Times—showing the same pattern: outage, scare, terse official updates, and then partial restoration. In parallel, K–12 vendor PowerSchool admitted earlier this year to paying a ransom after a breach, which is now part of institutional calculus for many universities.
Was student data exposed in the Canvas breach?
ShinyHunters threatened to leak names, emails, schedules and student ID numbers. That range of data isn’t just embarrassing; it’s currency for further phishing and identity fraud. Schools have avoided full disclosure so far, which raises the question: how much of your personal information was actually exfiltrated?
Professors moved tests, students demanded relief, and administrators braced
Some classes rescheduled exams—Friday tests were shifted to Sunday at a few schools—and dozens of threads appeared asking for graded leniency. I’ve been inside enough faculty meetings to know administrators are balancing public relations, legal exposure, and the academic calendar.
You hold leverage here. Students are the affected party and deadlines matter. A brief, pointed push for a modest curve or alternate assessment can shift outcomes, because institutions hate the optics of mass complaints after a breach.
Can universities be forced to pay ransom?
Legally, schools can choose to pay or not, and many cyber insurers and legal teams weigh that decision. Public pressure, student outcry, and regulatory scrutiny influence the choice—but ransom payments have precedent. The question for you is whether the school will prioritize rapid restoration over transparency and long-term accountability.
What I’d watch next and what you can do right now
Expect three threads to dominate: forensic reports from Instructure, official notifications from affected schools, and data appearing on extortion forums or paste sites. Keep a personal log: screenshots of affected pages, timestamps, and any emails from your university. Freeze credit monitoring if you see Social Security or financial data mentioned.
Practical defense: change reused passwords, enable two-factor on critical accounts, and be hyper-skeptical of any email asking for credentials. Point IT to concrete harms—missed deadlines, locked exams—and request a remedy in writing. I recommend asking professors for an explicit grading adjustment or an alternate assessment; these are reasonable, paper-trailable requests when a school’s service fails.
ShinyHunters pulled a large-scale public stunt that exposed structural risk in the academic software stack. Instructure and university IT teams will be audited, vendors will get calls, and the incident will be another case study in boardrooms. For now, students should protect their accounts, document harms, and press for compensation in grades where appropriate.
Finals are supposed to test learning, not crisis management—are you going to let administration treat your exam week like collateral damage?