SPRINGFIELD – Thousands of students around the country, and the world, who were preparing for final exams last week suddenly found themselves locked out of their online university software after a cyberattack disrupted Canvas, one of the country’s most widely used online learning platforms.
The breach affected nearly 9,000 schools and educational institutions worldwide during one of the busiest periods of the academic year, forcing some universities – including portions of the University of Illinois system – to pause coursework, extend deadlines and improvise alternatives while information technology staffs assessed the disruption.
The incident exposed how dependent modern universities have become on a small number of centralized digital vendors that now function as critical infrastructure for higher education.
Instructure, the Utah-based company that owns Canvas, confirmed unauthorized activity was first detected April 29 before additional actions were identified May 7, when attackers appeared to reveal their presence by altering Canvas login pages viewed by students and instructors.
A week on since the initial breach, relatively few technical details have surfaced about how the attackers initially gained access to the system. Instead, attention is being drawn to the industrial apparatuses and technologies supporting modern hackers.
Instructure has created an entire crisis-response webpage outlining their position on the Canvas hack.
Their attackers – it has been revealed – also have a unique webpage for Instructure – on the dark-web. Listed alongside Canvas are their other targets. Companies like Cushman & Wakefield, Vimeo, Udemy, 7-Eleven, The Canada Life Assurance Company and Carnival Corporation – the parent company of the famous cruise ship line – are all listed.
The hackers, operating under the name ShinyHunters, appear to run a professionalized dark-web extortion operation resembling a modern business enterprise, where they organize sophisticated attacks, and fund them through illegal bug-bounties.
Instructure later acknowledged it had reached an “agreement” with the attackers after the breach. While the company did not explicitly confirm whether a ransom payment was made, multiple reports indicated some form of settlement occurred after hackers claimed to possess data tied to approximately 275 million users, although NPR Illinois cannot independently confirm any value exchanged hands.
ShinyHunters posted their now-infamous ransom-style messages on Canvas login pages; warning institutions they had until May 12 to negotiate before the (allegedly) stolen data would be leaked publicly.
According to Instructure, the stolen information may have included usernames, email addresses, student identification numbers, course information and private messages exchanged between students and instructors. Instructure said there was no evidence passwords, financial information or coursework submissions were compromised.
Instructure added that affected customers would not need to negotiate individually with ShinyHunters. It is also unclear if any institutions acted on their own during the incident or remained bound by Canvas’ terms and conditions.
With so little being officially disclosed – and even less being independently forensically understood – the fingerprints around the edges of the attack are drawing increased attention where hard facts may still be lacking.
For Eric Shaffer, associate director of academics at the Siebel School of Computing and Data Science at the University of Illinois Urbana-Champaign, the timing of the attack appears suspicious and intentional – and may mean the attackers are more sophisticated than investigations are willing to admit.
“It seems too coincidental for them to have been able just to randomly do it during finals week,” Shaffer said. “I think we can guess that they had [access] for a while and they were timing it.”
Shaffer cautioned, however, that investigators still do not publicly know exactly how attackers gained access to Canvas systems or how long they may have remained inside the network before revealing themselves.
ShinyHunters has been linked to a growing list of high-profile cyberattacks in recent months, including an April 2026 breach involving Rockstar Games and cloud-linked systems connected to the upcoming release of Grand Theft Auto VI.
Online statements attributed to ShinyHunters suggested the Canvas incident reflected a longer-running conflict with Instructure, claiming the company had previously attempted security fixes following (implied) earlier breaches.
On May 7, attackers appeared to breach Canvas a second time, replacing some university login pages with a playfully terrifying ransom-note displaying the heading “rooting your systems since ’19.”
The repeated intrusions underscore a broader concern increasingly raised by cybersecurity researchers: as digital platforms become more centralized, interconnected and essential to everyday life, a single successful breach can potentially disrupt thousands of institutions simultaneously by compromising their shared infrastructure.
“The more connected institutions become,” says Shaffer, “the more disruptive a single failure can be.”
Increasingly, researchers warn that modern cyberattacks are no longer simply attempts to break into computer systems, but are instead efforts to weaponize society’s growing dependence on the digital infrastructure modern society depends on.
Federal cybersecurity and intelligence officials have increasingly warned that ransomware attacks are becoming more aggressive, financially damaging and strategically focused on institutions that provide critical public services.
Reports from the U.S. National Counterintelligence and Security Center and IBM’s 2025 X-Force Threat Intelligence Index describe how a rapidly evolving cybercrime landscape is increasingly being driven by organized extortion operations – often resembling legitimate businesses with project-work-flows, vertical-integration and human-resources – coordinating ransomware attacks in cyber-space via a command-structure operating from the dark-web.
The NCSC estimated ransomware attacks cost American schools and colleges more than $3.5 billion in 2021 alone, while attacks against federal, state and local government organizations exceeded $70 billion between 2018 and 2022.
Similarly, IBM researchers found organizations tied to critical infrastructure accounted for roughly 70% of the cyber incidents their analysts responded to in 2024. This trend may be reinforcing concerns that highly centralized systems may be de-facto functioning as attractive “single points of failure” for organized cybercriminal groups.
More recent findings from cybersecurity firm Sophos – whose earlier 2023 ransomware research was submitted to a U.S. House oversight hearing examining cyber threats and critical infrastructure – suggest schools and universities remain especially vulnerable to ransomware-style attacks as hackers increasingly rely on phishing campaigns, compromised credentials and exploited software vulnerabilities to gain access to institutional systems.
Sophos’ 2025 “State of Ransomware in Education” report found many institutions continue struggling with operational disruption, recovery costs and staffing pressures tied to modern ransomware attacks.
Sophos researchers found exploited software vulnerabilities, compromised credentials and phishing campaigns remained among the leading causes of ransomware intrusions in 2025, while organizations affected by encrypted-data attacks increasingly relied on backups and ransom payments to restore their systems.
The report also found credential compromise and social engineering continue playing major roles as support architectures in successful ransomware intrusions – concerns cybersecurity researchers say may mirror aspects of the Canvas breach, particularly surrounding speculation that compromised “Free-for-Teacher” accounts – or other stolen credentials which may have contributed to ShinyHunters’ access to Canvas systems.
The findings reflect a broader concern increasingly voiced by cybersecurity researchers: as universities consolidate more coursework, communication and administrative functions onto shared digital platforms, successful intrusions can potentially disrupt thousands of institutions simultaneously through a single breach – a single-point-of-failure.
That growing dependence on concentrated digital platforms has increasingly transformed cyberattacks from isolated technical incidents into operational crises capable of disrupting entire sectors at once.
Researchers NPR Illinois spoke with compared the disruption to the 2024 ransomware attack against Change Healthcare, which temporarily crippled insurance claims and payment systems nationwide after attackers breached one of the country’s largest healthcare technology providers.
Security researchers say these kinds of centralized systems can create what are commonly referred to as “single points of failure,” where one successful compromise can ripple across thousands of dependent organizations. That type of scale may help explain why the Canvas breach caused such widespread disruption.
“These intrusions may technically occur in cyberspace, but the real disruption is social, not digital,” Shaffer told NPR Illinois. “The attack is not merely against software or servers, but against the trust and dependency built around those systems.”
Of all the details involved in the Canvas incident, trust is – ironically - being highlighted by how modern ransomware operations increasingly resemble organized business.
Hackers negotiating with their victims now maintain their reputational capital like a corporation, they must be trustworthy (enough) to be taken at their own word, and they must deliver on time. Hackers’ “business” reputations follow them from one company (they hack) to another.
Screenshots circulating online appeared to show ShinyHunters operating through a professionalized leak portal where alleged victims and stolen datasets were cataloged publicly alongside ransom demands.
Cybersecurity firms including Sophos and CrowdStrike have warned ransomware groups increasingly operate through structured “ransomware-as-a-service” ecosystems in which criminal organizations share infrastructure, malware and stolen credentials in ways that lower technical barriers for attackers.
Worse, the advent of A.I. potentially being employed by modern hackers to breach systems can further assist in data-mining operations once information is collected. The rise of A.I. enhanced ransomware-as-a-service – or RaaS – is defining this new paradigm.
“I think it’s important not to assume we know exactly what this means,” Shaffer said stressing caution since so much of the Canvas hack took place and was resolved out of sight.
“Both hackers and companies affected by cyberattacks are often incentivized to limit how much information becomes public.”
Instructure said it received digital confirmation the data had been deleted after the agreement with attackers, though the company acknowledged there is “never complete certainty when dealing with cyber criminals.”
In a statement published after the breach, Instructure CEO Steve Daly apologized for the disruption and acknowledged schools “deserved more consistent communication” during the incident.
“Here we have an example of a centralized service that becomes an enticing target because it serves so many institutions,” Shaffer said while discussing how new technologies are making both the scale and sophistication of cyberattacks increase.
Shaffer said consolidated digital systems may become even more attractive targets as AI-assisted attacks evolve and argues that more decentralized systems may ultimately prove more resilient because they reduce both the scale and attractiveness of potential attacks.
“If we were to decentralize the service and have learning management systems run more locally and not be the same everywhere, it would both be harder for people to hack at that scale and also be less enticing for them to do so because the payoff is not as great,” he said.
As higher education grapples with the apparent burdens of legacy-systems, the once-abstract computer science notion of decentralization is becoming increasingly tangible – especially for universities that rely on platforms like Canvas – which have evolved from convenience tools into the day-to-day backbone of nearly every school in America, and now – into potentially significant vulnerabilities. Concerns raised by researchers like Shaffer are also echoing broader debates unfolding at the international policy level.
The U.S. State Department’s 2022 “Declaration for the Future of the Internet,” warns that the “once decentralized Internet economy has become highly concentrated” as governments and technology companies consolidate their digital infrastructures and online services – essentially describing how corporate and institutional centralization has corrupted the underlying decentralized framework the Internet was originally conceived as.
The declaration described the Internet’s original architecture as an open, decentralized “network of networks” and warned that cybercrime, ransomware, disinformation campaigns and concentrated digital control increasingly threatens infrastructure resilience, democratic institutions and public trust online.
Computer scientists studying cybersecurity and distributed systems have long examined how large networks maintain trust even when parts of a system become compromised, deceptive or unreliable – concepts rooted in foundational theories such as the “Byzantine Generals Problem,” first formalized in the 1980s.
The research has evolved from an abstract military allegory into one of the core conceptual frameworks behind modern distributed systems, cloud computing, cybersecurity and blockchain infrastructure.
But Andrew Miller, a University of Illinois Urbana-Champaign computer scientist whose research focuses on cryptography, blockchain systems and distributed computing, cautioned against treating decentralization itself as a simple solution to cybersecurity threats.
“I do think universities like UIUC have excellent IT staff and capability,” Miller told NPR Illinois. “For others, it may be better to rely on vendors. There’s a ‘get what you pay for’ of course.”
Miller said the growing role of artificial intelligence may prove more significant than decentralization alone as hackers increasingly automate phishing, reconnaissance and social engineering operations.
“The main worry I have is that attackers increase in velocity, but defenders are slow to adapt,” Miller said.
While decentralized systems like those used by modern cryptocurrencies are often discussed in cybersecurity circles. Platforms like Ethereum, Miller argues, are modern digital sandboxes where the most important lessons in the long run may come less from building decentralized systems and more from the aggressive security culture surrounding its development.
“They have been very proactive in defensive security research like post quantum cryptography, formal verification, whitehat groups and bug bounties and other social mechanisms to promote security,” said Miller.
“We should be using AI tools to aggressively audit and employ formal methods to remove software vulnerabilities,” said Miller.
“AI will enable broader and more effective ways to attack the security of systems,” Shaffer agrees.
Researchers now say artificial intelligence could accelerate the creation of dark-web exploits even further by automating botnets.
AI-generated robocalls imitating former President Joe Biden’s voice during the 2024 election cycle is another example of how AI can be used to manipulate public behavior through increasingly convincing forms of digital impersonation and social-engineering.
The growing role of artificial intelligence and cybersecurity vulnerabilities is also drawing increased attention from lawmakers.
State Sen. Sally Turner, a Beason Republican, said governments are struggling to keep pace with rapidly evolving digital and artificial intelligence technologies.
“The government is working to keep pace with systems that are evolving faster than the policies that govern them,” Turner told NPR Illinois.
Shaffer, Turner and Miller see incidents like the Canvas breach as illustrations of how large centralized systems can become attractive targets for cyber-attacks. Sen. Turner further believes governments must begin establishing “thoughtful guardrails and clear standards” for AI and emerging technologies.
Turner is sponsoring Senate Bill 1366, known as the State Government AI Act, which would require Illinois agencies to establish policies governing the development, procurement and use of artificial intelligence systems – including annual impact assessments that prohibit state agencies from deploying AI systems unless permitted under statewide rules starting in 2028.
“The internet actually is a decentralized service,” Shaffer said. “It’s actually impressive in how robust it is because it’s built that way.”
Many of the platforms layered on top of the internet – like Canvas – have moved in the opposite direction however – consolidating critical services into centralized systems whose failures can ripple across networks like waves in a pond from the drop of a single stone.
For students scrambling to submit assignments or faculty improvising around disrupted exam schedules, the Canvas breach offered a final exam for academia in a different sense – a reminder that digital convenience is sometimes as much a hindrance to education as it is a benefit.
Books smell better than computers too.
