Several school districts and universities in North Carolina have been affected by a hack on Canvas, an online learning management system used to distribute assignments and assign grades.
The hack is so remarkable that it has already earned its own Wikipedia page. But the ongoing threat of the hack is unclear as many districts have shut down access despite the company ensuring it is safe to use.
The cybercrime group ShinyHunters has claimed responsibility for the hack and is threatening to release the data of millions of students if not paid a ransom. Some messages gave schools until the end of the day on May 8 or May 12 to pay up, but Canvas’ parent company, Instructure, said there is no evidence the hacker currently has access to the platform.
[Subscribe for FREE to Carolina Public Press’ Daily, Weekend and Election 2026 newsletters.]
Instructure was digitally attacked April 25 but did not detect the incident until April 29. The Wake County Public Schools System notified families on May 6 after Instructure informed WCPSS and the North Carolina Department of Public Instruction. Current staff and students’ information may have been accessed, but there is “no indication” that passwords, dates of birth, government identifiers or financial information are at risk, WCPSS said.
Instructure posted an update Friday saying it had identified similar “unauthorized activity” again on Thursday, leading it to take Canvas offline. The company was able to confirm the hackers exploited an issue with Canvas’ Free-For-Teacher accounts, so it temporarily shut those accounts down but was able to get the rest of the site up and running again.
NC schools react to Canvas hack
Still, DPI shut off Canvas access for all North Carolina public schools after some users received messages demanding a ransom by May 12.
A message posted on the WCPSS site informs users it has disabled access to Canvas, and they should not attempt to access Canvas through alternate links or bookmarks, click any links or download files related to the hackers’ messages posted on the site.
“We are aware of a cybersecurity-related message currently appearing within Canvas for some users,” the pop-up message stated.
“Out of an abundance of caution, WCPSS has temporarily disabled the Canvas icon within the WakeID Portal while we work with our vendors and technology teams to verify system security and restore normal operations. This action is being taken proactively to protect staff and student access while the issue is investigated.”
Cabarrus and Union County Schools were also affected by the hack, according to WBTV. The districts did not respond to requests for comment from Carolina Public Press prior to publication of this article.
A spokesperson from Charlotte-Mecklenburg Schools told CPP Friday evening the hack did not compromise the district’s network but it has still disabled access to Canvas, although systems are fully operational according to Instructure.
“The incident occurred within the vendor’s systems and did not involve or compromise Charlotte-Mecklenburg Schools’ network or internal systems,” a district spokesperson said.
“Out of an abundance of caution, CMS has disabled Canvas access for staff and students and is conducting an internal security review to help ensure student and staff data remains protected. Security and data privacy remain top priorities for Charlotte-Mecklenburg Schools. CMS continues to closely monitor the situation in coordination with Instructure, the North Carolina Department of Public Instruction (NCDPI), and state partners. We will continue to provide updates as our review progresses and when it is determined to be secure to restore Canvas access.”
New Hanover County Schools was among one of the first to report effects of the hack. It provided an update to families Friday, confirming any information leaked was minor.
“We understand that situations involving student information can be concerning, and we want to reassure families that we are closely monitoring this issue and working with the state and Instructure to stay informed and support our schools throughout this disruption,” the update read.
“… At this time, information identified as compromised as part of the breach includes names, student ID numbers, messages between users, and email addresses. Importantly, there is currently no indication that passwords, dates of birth, government-issued identifiers, financial information, or Social Security numbers were involved. Although the situation originated outside of our district’s direct control, we are actively working with Instructure, NCDPI, and state partners to stay informed, advocate for timely updates, and help identify solutions that best support students and staff during this interruption.”
Elite private universities targeted
Duke University’s Information Technology Security Office confirmed that Duke was affected.
Access to the site was off-and-on throughout Thursday. The Chronicle noted final exams had already concluded for undergraduates, so students were largely unaffected by Canvas’ inaccessibility.
Duke is among other elite private universities like Harvard and Georgetown to be impacted. The university did not respond to CPP’s requests for an update.
Several universities do not currently use Canvas but have plans to switch to the platform in the near future, including North Carolina State University and Appalachian State University.
Not first hack affecting NC schools
The Canvas attack might feel reminiscent of the hack on Powerschool in 2024, also an education software commonly used in North Carolina K-12 schools. Matthew Lane, a Massachusetts college student, pleaded guilty last year for hacking and extorting the company for $2.85 million in Bitcoin.
It’s unclear exactly how much ShinyHunters is asking for ransom and in what form.
Ransomware attacks — malicious software that prevents users from accessing files until they pay a sum of money — have been happening more frequently in the last year, data shows.
“(GuidePoint Security) recorded a 58% year-over-year increase in victims, making 2025 the most active year ever reported by GuidePoint Security. In 2025, GuidePoint Security tracked 2,287 unique victims in Q4, 2025 alone — the largest number of victims in any quarter tracked by the GuidePoint Research and Intelligence Team,” the HIPAA Journal wrote.
A message from the Instructure CEO Steve Daly promised more transparency going forward as the company works to move past the incident.
“Last week, we made a call to get the facts right before speaking publicly,” the message read. “That instinct isn’t wrong, but we got the balance wrong. We focused on fact-finding and went quiet when you needed consistent updates. You’ve been clear about that, and it’s fair feedback. We will change that moving forward.
“So here’s what we’re changing. We’ve launched a dedicated Incident Update page, a single place with what we know, what we’re doing, and what’s next. We’ll post another update within 48 hours and we’re working on delivering a summary of the forensics report; which we’ll share as soon as it’s ready.”
The most recent update from Saturday says Canvas is fully online and available for use.
This work is licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License. You may republish our stories for free, online or in print. Simply copy and paste the article contents from the box below. Note, some images and interactive features may not be included here.
