I plan my newsletters weeks in advance. As a cybersecurity and counterintelligence expert, futurist, and spy aficionado, I'm always hunting for the stories that matter most to this community of Spy Hunters.

And then a single event wipes away my careful plans and demands our attention.

The last time I completely repositioned my writing, the United States had just launched a strike on Iran. That kinetic battle continues, and I'm still suiting up to cover it. But while that war rages on the other side of the world, another battle has landed right here at home—one that didn't target infrastructure, military assets, or government systems.

This one stole the tools our students use to learn.

The Canvas breach is, in my assessment, the most consequential cyberattack of the year. It exposed the fragility hiding inside the systems an entire generation depends on daily, and the response from the company responsible raises serious questions that deserve serious answers.

Of course I had to write about it.

This special edition of Spies, Lies & Cybercrime carries one article: a full deep dive into the Canvas attack—how it happened, why it matters, who ShinyHunters are, and what parents and students need to do right now. No other stories. No distractions. Just the one thing that couldn't wait.

Enjoy and as always, stay safe out there.

~ Eric

When ShinyHunters breached Canvas during finals week, millions of students didn't just lose a website. They lost school itself—and the company that built their world may have seen it coming.

Not too long ago, students carried backpacks heavy enough to qualify as resistance training.

Stuffed inside were spiral notebooks, graph paper, dog-eared textbooks, TI calculators, folders bursting with loose worksheets, and enough pens and pencils to supply a small office. My generation lugged around rulers, protractors, and giant three-ring binders that somehow exploded open at the worst possible moment.

Today, I watch my teenagers leave for school carrying little more than an iPad.

That single device replaced nearly everything. Textbooks live online. Homework is submitted through the cloud. Calculators, rulers, protractors, notebooks, quizzes, and tests all exist inside apps and learning platforms. Teachers grade assignments digitally and provide real-time feedback without ever uncapping a red felt-tip pen. Parents no longer wait nervously for report cards because we see grades instantly — every quiz, every homework assignment, every test score delivered to our phones like notifications from a world that never stops measuring.

Much of this modern educational ecosystem runs through a learning platform called Canvas. And like so many aspects of modern life, we quietly moved something essential into the digital world and created a single point of failure.

Then came May 2026. And suddenly, school itself went offline.

Late last night, a friend called me in a panic. Her daughter had spent months writing a paper for creative writing class. She had already received one extension and now had until midnight to submit the assignment through Canvas. But when she tried to log in, the platform would not load. Instead, the browser opened to a dark screen carrying a warning from a cybercrime group called ShinyHunters.

The paper was due in less than an hour.

Without Canvas, they could not contact the teacher. They could not upload the assignment. They could not even verify whether the school systems were functioning normally.

"What do we do?" she asked me.

At almost the same moment, my own daughter texted me. "Canvas is down," she wrote. "I think this is a big deal and you should write about it."

Since then, dozens of friends, family members, students, and parents have reached out asking for help, updates, or simply reassurance that somebody understood how disruptive this had suddenly become. What many adults initially dismissed as "a school website being down" was something very different for the students living inside it. Canvas is not just software anymore. For millions of students, it is school.

Stories like the following played out across the country — the names are illustrative composites, but the situations are real.

On May 1, 2026, Instructure, the company behind Canvas, disclosed that attackers had gained unauthorized access to portions of its systems. The announcement carried the carefully managed language Americans have come to expect after corporate breaches: an investigation was underway, remediation efforts were in progress, services were being restored.

But Canvas is not some obscure internal platform. It sits at the center of modern education — the place where assignments are submitted at 11:58 p.m. before a midnight deadline, where teachers leave feedback, professors upload lectures, and schools quietly manage the daily rhythm of learning. For many colleges and K-12 systems, Canvas functions less like optional software and more like educational infrastructure.

Then the outages spread. Students across the country reported login failures, frozen exams, inaccessible coursework, and maintenance screens replacing assignments. The disruptions escalated quickly and arrived at the worst possible moment. Finals season had already begun at many colleges and high schools, transforming what might have been an inconvenience in October into a genuine crisis in May.

Then ShinyHunters stepped forward. The cybercrime group claimed responsibility and alleged that nearly 9,000 schools worldwide had been affected. The group claimed to possess approximately 275 million student, teacher, and staff records — including billions of private messages — and more than 3.6 terabytes of stolen data. Those figures come from the attackers themselves and could not be independently verified; cybercriminals routinely inflate claims for leverage. Instructure has not confirmed the specific numbers. What is not in dispute is that a serious breach occurred, that it affected core services during finals week, and that the group issued a familiar ultimatum to schools and Instructure alike: negotiate privately or we release everything.

The message was not subtle. It was extortion delivered with a countdown clock.

Instructure's response deserves more scrutiny than it has received. Based on what has emerged publicly, the company appears to have known that a threat existed, conducted internal remediation, and declared the situation sufficiently contained — without fully closing the door that let the attackers in.

This is a pattern that cybersecurity professionals recognize immediately, and it has a name.

The timing of the attack made the institutional failure even more consequential. Cybercriminals understand human behavior well. They know exactly when organizations are least capable of tolerating disruption, and they strike accordingly. Hospitals are attacked during emergencies. Cities are hit during tax season. Schools, apparently, are attacked during finals week. Every hour that Instructure spent managing public communications rather than confirming full attacker eviction was an hour that students, teachers, and families remained exposed.

For years, cyberattacks focused primarily on locking companies out of their own systems. Increasingly, criminal groups have learned that the real leverage comes not from encryption but from exposure. Educational platforms contain far more than grades and attendance records. They contain fragments of young lives.

Students communicate with teachers about failing classes, disciplinary issues, anxiety, depression, relationship struggles, and family problems. Professors and counselors exchange sensitive discussions involving accommodations, behavioral concerns, academic integrity investigations, and personal crises. Much of it exists in writing, preserved indefinitely inside cloud systems most users assume are private.

If even part of the hackers' claims are accurate, the implications extend far beyond ordinary identity theft. For many students, the fear is not simply fraud. It is humiliation. It is exposure. It is the realization that some of the most personal conversations of their lives may now exist inside criminal databases circulating across the dark web.

Security researchers like my friends at Vali Cyber describe ShinyHunters less as a traditional criminal organization and more as a loose cybercrime collective operating under a shared reputation. The group emerged around 2020 and quickly became associated with high-profile breaches involving Ticketmaster, AT&T, Rockstar Games, and other major targets. In 2024, Live Nation confirmed unauthorized access to data tied to roughly 560 million Ticketmaster users after ShinyHunters claimed responsibility. The same year, the U.S. Department of Justice announced the sentencing of a French national accused of participating in ShinyHunters-related operations involving wire fraud and identity theft.

Yet arrests rarely dismantle groups like this for long. Modern cybercrime functions less like organized crime and more like a decentralized online ecosystem. Members operate under aliases. Affiliates collaborate temporarily before disappearing. Arrest one participant and another quickly adopts the brand, the tactics, and the infrastructure. In many ways, the name itself becomes the weapon — because fear scales faster than malware.

Groups like ShinyHunters understand something many cybersecurity discussions overlook: angry parents, anxious students, public embarrassment, media attention, and institutional panic all become part of the attack surface. The goal is not merely to breach systems. It is to create enough chaos that victims feel cornered into negotiation.

The danger for students may not end when Canvas fully comes back online. Whenever a major cyber incident dominates headlines, opportunistic criminals rush in behind the original attackers. Security experts are already warning of phishing campaigns disguised as official Canvas communications.

These will not look like obvious scams. Because attackers may possess legitimate student information—names, institutional email addresses, enrollment data, even message history—the impersonation attempts that follow a breach like this can be highly convincing. A fake password-reset email addressed to you by name, from what appears to be your school's Canvas domain, referencing your actual course enrollment, is very difficult to identify as fraudulent under normal circumstances. During the confusion of finals week, it becomes nearly impossible.

The most dangerous message a student may receive in the next few weeks may appear to come from Canvas and may look something like this:

Either of these communications could be from opportunistic cybercriminals that have just bought a student’s information off the dark web. So, to state clearly: do not click links in any email claiming to be from Canvas, Instructure, or your school's IT department right now. Navigate directly to known URLs. Verify communications through official school channels before acting. If something asks you to re-enter credentials, treat it as suspicious until confirmed otherwise.

Post-breach phishing spikes are a documented pattern following every major educational data incident in recent years. Students and parents should expect them.

Technology has unquestionably improved education. Students today have access to tools, information, and collaboration opportunities previous generations could scarcely imagine. Entire libraries fit inside devices thin enough to slide into a backpack sleeve. Parents monitor academic progress in real time. Teachers personalize instruction faster than ever before.

But every technological convenience creates dependency, and dependency creates vulnerability. We built educational systems assuming connectivity would always exist. We centralized classrooms into cloud platforms. We replaced physical redundancy with digital efficiency. And somewhere along the way, we stopped asking a basic question: what happens when the system itself disappears?

An entire generation has grown up inside digital learning environments without ever truly considering that possibility. Many students have never submitted a handwritten paper, carried a printed syllabus, or experienced school without cloud-based systems quietly operating in the background. For them, Canvas going dark was not a technical inconvenience. It was the sudden removal of the ground beneath their feet.

The Canvas attack was not just a software outage or another cyber headline flashing briefly across cable news. It was a reminder that modern life functions a bit like oxygen. Most people never think about it until suddenly they cannot breathe.

See me live today at 1:30 PM ET (Tuesday, May 12) for a FREE virtual fireside chat hosted by DeleteME. I’ll break down the terrifying rise of AI-driven deception, deepfakes, and the cyber tradecraft criminals are using to manipulate human beings. No slides. No corporate speak. Just a live tactical conversation about the future of cybercrime and trust.

Please support my sponsors. It only takes a click - no purchase necessary!

Remember when the news was about what happened, not how to feel about it? 1440's Daily Digest is bringing that back. Every morning, they sift through 100+ sources to deliver a concise, unbiased briefing — no pundits, no paywalls, no politics. Just the facts, all in five minutes. For free.

Read the newsletter trusted by 4.5 million fact-seekers.

Don’t miss a newsletter! Subscribe to Spies, Lies & Cybercrime for our top espionage, cybercrime and security stories delivered right to your inbox. Always weekly, never intrusive, totally secure.