Duke among 9,000 schools affected by Canvas cyberattack

Key Points:

• On May 7, the online learning platform Canvas was disrupted again after hackers from the group ShinyHunters posted a message threatening to release stolen data unless contacted by May 12, 2026, demanding negotiations to prevent the leak.
• ShinyHunters claimed to have breached Instructure, Canvas's parent company, stealing data from 9,000 schools, including Duke University, affecting 275 million students and teachers with exposed identifying information such as names, emails, and student IDs, but no passwords or financial data were compromised.
• Instructure initially reported the incident was resolved on May 3 with Canvas fully operational, but the threat of data leakage remains, and Duke's IT Security Office continues to monitor the situation without confirming additional protective measures or responses.
• The breach also impacted other institutions and school systems, including Harvard University, the University of Pennsylvania, and North Carolina K-12 schools, with some districts notifying families and staff about the cyberattack.
• Canvas is widely used in North American higher education, including Duke, which transitioned to the platform during the 2023-24 academic year, and the disruption occurred after undergraduate finals ended and before the start of the summer term.