Tech Daily

Tech moves fast, but you're still playing catch-up?

That's exactly why 200K+ engineers working at Google, Meta, and Apple read The Code twice a week.

Here's what you get:

All delivered twice a week in just 2 short emails.

Join 200K+ engineers

A massive ransomware attack just held finals week hostage at thousands of schools, ShinyHunters is back with a vengeance, and the question of who pays to keep student data safe has never been more uncomfortable. Buckle up.

The biggest tech story unfolding right now is the cyberattack on Instructure, the parent company behind Canvas, the cloud-based learning management system used by more than 30 million active users across roughly 8,000 institutions. On May 7, students at Harvard, Princeton, Columbia, Georgetown, Rutgers, the University of Pennsylvania, the University of Washington, Duke, Kent State, and thousands of K-12 schools logged in to study for finals and were instead greeted by a ransom note. The note was signed by ShinyHunters, a loose international cybercrime affiliation that the Department of Justice has previously described as a "notorious international hacking crew."

The message read, in part, that ShinyHunters had breached Instructure "again" and that the company had ignored their initial outreach and "did some security patches" instead of negotiating. The group then gave Instructure and individual schools until May 12 to pay up before a full data dump.

The numbers being thrown around are staggering. ShinyHunters claims to have stolen data tied to roughly 275 million students, teachers, and staff across nearly 9,000 schools worldwide, including institutions in the U.S., U.K., Australia, New Zealand, Sweden, and the Netherlands. Instructure has confirmed that names, email addresses, student ID numbers, and internal messages between users were exposed, but says it has found no evidence that passwords, dates of birth, government identifiers, or financial information were involved. TechCrunch independently reviewed sample data shared by the hackers and confirmed it included names, emails, and some phone numbers, consistent with Instructure's disclosures.

Read the full CBS News rundown here: https://www.cbsnews.com/news/cyberattack-shutters-canvas-learning-platform-for-schools-across-us/

CNN's reporting on the impact across major universities: https://www.cnn.com/2026/05/07/us/canvas-hack-strands-college-students-finals-week

Instructure first detected unauthorized activity in Canvas on April 29. The company publicly acknowledged the incident on May 1, said it had "contained" it on May 2, and then on May 3 a ransom letter from ShinyHunters surfaced on Ransomware.live, demanding payment by May 6 to avoid a leak that the group claimed would include "several billions of private messages." Instructure rolled out what it called security patches. Those patches did not fully close the door.

On May 7, the hackers came back through the same entry point. Instructure has now confirmed that the attackers exploited a vulnerability tied to its Free-For-Teacher accounts, the same vector used in the original April incident. The company has temporarily shut down all Free-For-Teacher accounts, restored Canvas access by Friday, and notified the FBI, the U.S. Cybersecurity and Infrastructure Security Agency, and international law enforcement partners.

What makes this incident so significant is the structural lesson. Schools individually did very little wrong here. The compromise sits with a single third-party vendor that 41 percent of North American higher education institutions and a huge slice of K-12 systems depend on. When one piece of that infrastructure falls, the blast radius is enormous. Anton Dahbura, executive director of the Johns Hopkins Information Security Institute, framed it bluntly to Inside Higher Ed: no platform is immune, and there are countless widely used systems that remain attractive targets, including for nation-states.

This is also the second major ed-tech breach claimed by ShinyHunters in the past month. The group was previously linked to attacks on PowerSchool, the University of Pennsylvania, Princeton, and Harvard. According to threat analyst Luke Connolly of Emsisoft, ShinyHunters has been around since 2020, is composed largely of teenagers and young adults based in the U.S. and U.K., and was responsible for the 2024 Ticketmaster breach that exposed the data of 560 million customers.

Inside Higher Ed's deeper analysis on third-party vendor risk: https://www.insidehighered.com/news/tech-innovation/administrative-tech/2026/05/05/pay-or-leak-hackers-target-big-higher-ed-vendor

TIME's primer on ShinyHunters and the group's history: https://time.com/article/2026/05/08/canvas-cyber-attack-shinyhunters-hack-what-to-know/

The most uncomfortable subplot here is the question of payment. According to The Daily Pennsylvanian, ShinyHunters told the paper earlier this year that the University of Pennsylvania refused to pay a $1 million ransom, and the group later released what it claimed was Penn data. Penn says roughly 306,000 of its affiliates are caught up in the broader Instructure breach, with emails, names, Penn ID numbers, and course enrollments compromised.

By Friday, Instructure and Canvas had been removed from ShinyHunters' dedicated dark web leak site, according to Connolly. He noted that this typically signals one of two things: either negotiations are quietly underway, or the group is simply repositioning before a leak. The May 12 deadline still stands publicly.

The FBI has long advised against paying ransoms because it funds future attacks and offers no guarantee of data recovery. But for schools sitting on records of millions of minors, the calculus is brutal. This is the second time in recent memory that a single ed-tech vendor has put hundreds of universities and K-12 districts in this position, after the PowerSchool breach earlier this year, in which a Massachusetts college student was charged.

Past attacks on Minneapolis Public Schools and the Los Angeles Unified School District were warning shots. The Canvas incident is the loudest one yet that the U.S. education sector is structurally underprepared for vendor-side compromises at this scale, and that the patchwork of state and federal student privacy laws was not built for breaches measured in hundreds of millions of records.

The Daily Pennsylvanian's deep reporting on Penn's involvement: https://www.thedp.com/article/2026/05/penn-canvas-shinythunters-data-breach-hack-second

The Wikipedia overview tracking the incident in real time: https://en.wikipedia.org/wiki/2026_Canvas_security_incident

A few things to keep an eye on over the next week. First, the May 12 deadline. If ShinyHunters releases data, expect a wave of follow-on phishing and identity-fraud attempts targeting students, parents, and faculty using the leaked names, email addresses, and student ID numbers. Second, regulatory response. The FTC, the Department of Education, and several state attorneys general have all opened investigations into prior ed-tech breaches in the past 18 months, and an incident of this scale will almost certainly produce hearings, fines, and likely new disclosure requirements for ed-tech vendors. Third, insurance markets. Cyber insurance for educational institutions has tightened significantly over the past two years, and the Canvas breach is the kind of event that resets underwriting models for the entire sector.

If you are a student, teacher, or parent connected to any institution that uses Canvas, the practical advice from cybersecurity researchers is straightforward. Change any reused passwords, especially the ones tied to your school email account. Enable multi-factor authentication on accounts where it is not already on. Be skeptical of any email that references your school, your courses, or your ID number over the next several months, even if it appears to come from a familiar address. Phishing campaigns built on real, leaked context are dramatically more effective than generic spam.

We will keep tracking this story and bring you the next chapter as it develops. Stay safe out there.