Cyber Incident Victim: Duke University

On May 7, 2026, students and educators who logged into the Canvas learning management system encountered a pop‑up message claiming to be from the hacking group ShinyHunters. The message stated that ShinyHunters had breached Instructure, the parent company of Canvas, and gave recipients until the end of the day on May 12, 2026, to contact the group to negotiate a settlement. It warned that failure to make contact would result in the public release of personal information accessed through the platform. The pop‑up appeared during finals week at several universities, including the University of Pennsylvania, Virginia Tech, Duke University, and others. According to the message, the breach exposed names, emails, student course schedules, and ID numbers of Canvas users. ShinyHunters also referenced a previous breach of Instructure that month, alleging that the company had ignored their demands and applied only security patches. The group claimed that the attack affected roughly 9,000 schools worldwide and compromised data for over 275 million students, teachers, and staff. Instructure confirmed the breach and posted on its website that Canvas was down.

Duke University was notified by Canvas that its learning management system had experienced unauthorized access to data from thousands of institutions, including Duke. Nick Tripp, Duke’s chief information security officer, said the IT Security Office was closely monitoring the incident and assessing any effect on the university community. He added that, according to Instructure’s notification, there was no indication that passwords, dates of birth, government identifiers, or financial information had been involved in the breach. Duke’s IT Security Office stated it would continue to monitor the situation and provide updates as new information became available. Wake County public schools responded by temporarily shutting off access to Canvas and advising users not to log in, click links, download files, or respond to the ransom message. The University of North Carolina at Chapel Hill reported that Canvas was unavailable due to a system outage caused by the Instructure cybersecurity incident, which impacted approximately 9,000 universities and schools nationwide. UNC noted that the outage did not affect spring semester finals, which had concluded on Thursday, but that analysts were reviewing how the disruption might influence grade submissions due on Monday, May 11, 2026.

Later on May 7, the ShinyHunters pop‑up was replaced by a Canvas notice indicating the platform was undergoing scheduled maintenance. By later that night or the morning of May 8, Canvas was reported to be accessible and operating normally again. Some universities, including Duke, rescheduled Friday, May 8 examinations for Sunday, May 10, in response to the disruption. The ShinyHunters message had previously included a link to a list of affected schools, which the group said showed more than 9,000 institutions and every Ivy League university among the compromised users. No statements from Duke or other institutions indicated whether any ransom payment was made or negotiated. As of the latest updates provided in the articles, the incident remained under investigation by the affected institutions’ security teams.