NC students, school employees receive online ransom threat from data breach
AI-generated summary reviewed by our newsroom.
- Wake County shut off Canvas access and warned users not to respond to the ransom pop-up.
- ShinyHunters claimed the attack affected nearly 9,000 schools and over 275 million people.
- Instructure reported no indication that passwords or financial data were exposed.
Students and school employees across North Carolina got a ransomeware demand Thursday when they logged into the Canvas learning management system.
The pop-up message purportedly from the hacking group ShinyHunters gave users until May 12 to contact them or risk having their personal information exposed publicly. Instructure, the education technology company which owns Canvas, posted on its website that Canvas is down.
In response, the Wake County school system said Thursday it’s temporarily shutting off access to Canvas and urged people not to log into Canvas or respond to the ransom threat.
“Do not click on any links, download files, or respond to any messages related to the pop-up,” Wake said in a message on its website Thursday.
May 12 deadline given in threat
Duke and the University of North Carolina were also affected.
Canvas is an online learning management system where students access assignments and materials, The Charlotte Observer reported. Canvas is part of North Carolina’s statewide learning management system and used by public schools across the state.
Canvas is widely used by school districts around the country and roughly 41% of colleges and universities in North America.
Over the weekend, Instructure was hacked by ShinyHunters, a criminal extortion group that’s also been linked to data breaches at three Ivy League institutions in late 2025. The group claimed its attack on Instructure affected nearly 9,000 schools worldwide and exposed personal identifying information for over 275 million students, teachers and staff, according to Inside Higher Ed.
Wake learned of the data breach on Tuesday and notified families on Wednesday.
“Based on the information we have received, personal data of current staff and students may have been accessed, but there is no indication that passwords, dates of birth, government identifiers, or financial information were involved in the breach,” Wake initially told families on Wednesday.”
At least some Wake users who logged in on Canvas on Thursday got a pop-up message claiming to be from ShinyHunters. According to the message, ShinyHunters said it had breached Instructure again.
The message said Instructure has until May 12 to pay a ransom.
The message included a link that the group says shows which schools are affected. The message said users had until the end of the day May 12 to contact them to “negotiate a settlement.”
“You have till the end of the day by 12 May 2026 before everything is leaked,” according to the pop-up message.
Data breach affects NC universities
Canvas is also used by some North Carolina colleges and universities.
UNC-Chapel Hill said Canvas is currently unavailable due to a system outage caused by a cybersecurity incident of its parent company Instructure that is impacting 9,000 universities and schools nationwide
UNC said there’s no impact on spring semester finals because they concluded Thursday.
“We are currently analyzing how the outage may impact grade submissions, which are due Monday, May 11,” UNC said. “We will provide updates and any necessary information to faculty and students as we know more.”
Duke University is also dealing with the hacking attack.
“Duke has been notified by Canvas, which provides the university’s learning management system, of a cybersecurity incident resulting in unauthorized access to data at Canvas from thousands of institutions, including Duke,” Nick Tripp, chief information security officer at Duke University, said in a statement.
“The IT Security Office is closely monitoring this incident and is continuing to assess any effect on the university community. According to the notification from Instructure, the parent company for Canvas, it has found no indication that passwords, dates of birth, government identifiers, or financial information were involved.”
Tripp said Duke’s IT Security Office will continue to monitor the situation and will provide updates as new information becomes available.
Staff writer Jane Winik Sartwell contributed.
This story was originally published May 7, 2026 at 5:30 PM.
