This post follows my standard early access schedule: paid subscribers today, free for everyone on May 26.

On May 7, 2026, a Thursday, a significant number of Canvas users encountered an “Under Maintenance” message as they tried to log into the widely adopted Learning Management System. What few realized at that moment was that behind this innocuous notice stood one of the most severe cyberattacks on educational institutions on record. The criminal syndicate ShinyHunters had exfiltrated 3.65 terabytes of data covering approximately 275 million students, faculty, and staff across nearly 9,000 institutions worldwide.

I have written on The Augmented Educator about the growing threat landscape created by AI-assisted cybercrime before. The Canvas breach served as a stark reminder that cybersecurity is now a direct concern for educators, not just a distant issue. It hit our profession at its core. Understanding how and why cybercrime is increasingly targeting educational institutions has therefore become our professional responsibility.

In the following essay, I want to break down what happened, examine how the breach has affected institutions and the educators within them, explain the AI-assisted infrastructure that made an attack of this scale possible, and discuss what we should do to prepare for what is almost certainly coming next.

While the technical sophistication of the Canvas attack is real, it is not what makes the incident distinctive. The most critical feature is that the entire operation depended on counterfeits: counterfeit voices that impersonated trusted IT administrators, counterfeit login pages indistinguishable from the real ones, and counterfeit free accounts used as a side entrance into premium institutional environments.

The result was an industrial-scale counterfeit operation, made possible by AI.

What happened, in plain terms

The breach itself was the work of ShinyHunters, a financially motivated cybercriminal syndicate that has been active since 2020. The syndicate has spent the last two years building a systematic campaign against the educational technology supply chain. Before Canvas, the same group breached PowerSchool in December 2024, Infinite Campus in March 2026, and McGraw-Hill in April 2026. They also conducted direct intrusions at the University of Pennsylvania, Harvard, and Princeton in late 2025.

The UPenn breach in particular, in which the attackers extracted Canvas data from a single institution and demanded a $1 million ransom, is now understood as a proof-of-concept attack. ShinyHunters used that operation to map the architecture of Canvas itself, then turned the same techniques on the platform’s central infrastructure several months later.

The initial intrusion at Instructure, the company that develops and operates Canvas, occurred on April 25, 2026. Instructure’s security systems identified unusual data extraction on April 29, and the company started containment measures on April 30. But by that point, the attackers had already obtained the 3.65 terabytes of data described above. The compromised material included full names, institutional email addresses, student identification numbers, and, most disturbingly, billions of private messages exchanged within Canvas’s internal messaging system.

On May 6, Instructure publicly declared the incident resolved.

On May 7, the attackers defaced the global Canvas login page during the first week of final examinations across the Northern Hemisphere.