North Carolina Schools Recover from Statewide Canvas Cyberattack
A ransomware attack on Instructure’s Canvas, the learning management system used by North Carolina’s public schools, disrupted operations for thousands of students and educators in early May. The incident, claimed by the ShinyHunters hacking group, led to a temporary statewide shutdown of the platform after unauthorized access was detected on April 29.
The hackers initially breached Canvas through a Free-For-Teacher account, exfiltrating data tables containing student and staff names and school-assigned email addresses. A second intrusion occurred on May 7, when the attackers exploited a separate vulnerability to alter login pages, though Instructure disabled the attack within 10 minutes, preventing further data access. While the hackers claimed to have stolen data from 275 million users across nearly 9,000 schools, including private communications, officials stated that no passwords, Social Security numbers, financial information, or other sensitive personal data were compromised.
The North Carolina Department of Public Instruction (NCDPI) suspended Canvas access statewide upon discovering the breach, working with cybersecurity firm CrowdStrike to assess the damage. By May 9, Instructure confirmed the system was fully restored, and NCDPI reinstated statewide connectivity on May 11 at 4 p.m. In a deal with ShinyHunters, the stolen data was returned, and duplicates were destroyed.
Local districts, including Bladen County Schools, emphasized that no district-wide password resets were required but urged users to monitor accounts for potential phishing attempts, as exposed email addresses could be targeted. State Superintendent Maurice Green acknowledged the timing of the attack during final exams and graduations as particularly disruptive for students and educators.
Instructure reported that no ongoing signs of compromise remained, though the incident highlighted vulnerabilities in widely used educational platforms. The breach affected over 8,000 schools and 30 million users nationwide.
Instructure TPRM report: https://www.rankiteo.com/company/instructure-inc-
Bladen County Schools TPRM report: https://www.rankiteo.com/company/ncchartercoalition
"id": "nccins1779093352",
"linkid": "ncchartercoalition, instructure-inc-",
"type": "Ransomware",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Thousands of students and '
'educators',
'industry': 'Education',
'location': 'North Carolina, USA',
'name': 'North Carolina public schools',
'size': 'Thousands of students and educators',
'type': 'Educational institutions'},
{'customers_affected': 'Over 8,000 schools and 30 '
'million users',
'industry': 'EdTech',
'name': 'Instructure (Canvas)',
'size': 'Over 8,000 schools and 30 million users '
'nationwide',
'type': 'Learning management system provider'}],
'attack_vector': ['Compromised Free-For-Teacher account',
'Exploited vulnerability in login pages'],
'customer_advisories': 'Urged users to monitor accounts for phishing attempts '
'due to exposed email addresses',
'data_breach': {'data_exfiltration': True,
'file_types_exposed': 'Data tables',
'number_of_records_exposed': 'Claimed 275 million users '
'(official statement: no '
'sensitive data compromised)',
'personally_identifiable_information': 'Names and email '
'addresses',
'sensitivity_of_data': 'Low (no passwords, SSNs, financial '
'information, or other sensitive '
'personal data)',
'type_of_data_compromised': 'Student and staff names, '
'school-assigned email addresses'},
'date_detected': '2024-04-29',
'date_resolved': '2024-05-11',
'description': 'A ransomware attack on Instructure’s Canvas, the learning '
'management system used by North Carolina’s public schools, '
'disrupted operations for thousands of students and educators '
'in early May. The incident was claimed by the ShinyHunters '
'hacking group, leading to a temporary statewide shutdown of '
'the platform after unauthorized access was detected.',
'impact': {'brand_reputation_impact': 'Highlighted vulnerabilities in '
'educational platforms',
'data_compromised': 'Student and staff names, school-assigned '
'email addresses',
'downtime': 'Statewide suspension from April 29 to May 11',
'identity_theft_risk': 'Potential phishing attempts due to exposed '
'email addresses',
'operational_impact': 'Disrupted final exams and graduations for '
'students and educators',
'systems_affected': 'Canvas learning management system'},
'initial_access_broker': {'entry_point': 'Free-For-Teacher account'},
'investigation_status': 'Completed',
'lessons_learned': 'Highlighted vulnerabilities in widely used educational '
'platforms',
'post_incident_analysis': {'corrective_actions': ['Disabled attack within 10 '
'minutes',
'Restored system and '
'destroyed duplicates of '
'stolen data'],
'root_causes': ['Compromised Free-For-Teacher '
'account',
'Exploited vulnerability in login '
'pages']},
'ransomware': {'data_exfiltration': True},
'recommendations': 'Monitor accounts for potential phishing attempts due to '
'exposed email addresses',
'references': [{'source': 'North Carolina Department of Public Instruction '
'(NCDPI)'},
{'source': 'Instructure'}],
'response': {'communication_strategy': 'Advisories to monitor accounts for '
'phishing attempts',
'containment_measures': 'Disabled attack within 10 minutes, '
'suspended Canvas access statewide',
'incident_response_plan_activated': True,
'recovery_measures': 'Fully restored system by May 9, reinstated '
'statewide connectivity on May 11',
'remediation_measures': 'Restored system, destroyed duplicates '
'of stolen data',
'third_party_assistance': 'CrowdStrike'},
'stakeholder_advisories': 'State Superintendent Maurice Green acknowledged '
'the disruption during final exams and graduations',
'threat_actor': 'ShinyHunters',
'title': 'North Carolina Schools Recover from Statewide Canvas Cyberattack',
'type': 'Ransomware',
'vulnerability_exploited': 'Separate vulnerability in login pages'}