Cyber Incident Victim: University of North Carolina at Chapel Hill
Date:
May 2026
Location:
United States of America
Summary
The University of North Carolina at Chapel Hill experienced a disruption of its Canvas learning management system after a cyberattack on Instructure, the platform’s parent company, by the group ShinyHunters, which triggered ransomware‑style pop‑up messages demanding contact to negotiate a settlement. The breach exposed personal data of students and staff across thousands of institutions worldwide, though officials said there was no evidence that passwords, birth dates, government identifiers or financial information were compromised, and the university noted that spring semester grading deadlines were unaffected.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Over the weekend of May 2‑3 2026, the cyber extortion group ShinyHunters compromised Instructure, the parent company of the Canvas learning management system, claiming that the breach affected nearly 9,000 schools worldwide and exposed personal identifying information for over 275 million students, teachers and staff according to Inside Higher Ed. Wake County school system learned of the data breach on Tuesday May 5 and began notifying families on Wednesday May 6, stating that based on the information received, personal data of current staff and students may have been accessed but there was no indication that passwords, dates of birth, government identifiers, or financial information were involved. On Thursday May 7, students and educators who logged into Canvas encountered a pop‑up message purportedly from ShinyHunters demanding that users contact the group to “negotiate a settlement” by the end of the day on May 12 or risk having their personal information leaked publicly. The message included a link that the group said showed which schools were affected and reiterated the May 12 deadline for contact.

The University of North Carolina at Chapel Hill confirmed that Canvas was unavailable due to a system outage caused by the cybersecurity incident at Instructure, noting that the outage impacted approximately 9,000 universities and schools nationwide. UNC‑Chapel Hill stated that the outage had no effect on spring semester finals because they had concluded on Thursday May 7, but the institution was analyzing how the disruption might affect grade submissions due on Monday May 11 and pledged to provide updates and any necessary information to faculty and students as more details became available. Duke University also reported being notified by Canvas of a cybersecurity incident resulting in unauthorized access to data at Canvas from thousands of institutions, including Duke, with Duke’s chief information security officer indicating that the IT Security Office was closely monitoring the situation and assessing any effect on the university community, while noting that Instructure’s notification had found no indication that passwords, dates of birth, government identifiers, or financial information were involved.
In response to the ransomware pop‑up, the Wake County school system temporarily shut off access to Canvas and issued a directive advising users not to log into the system, not to click on any links, download files, or respond to any messages related to the threat. UNC‑Chapel Hill communicated that it was working with Instructure to restore service and would continue to inform the campus community about the status of Canvas and any implications for academic processes. Duke’s IT Security Office said it would continue to monitor the incident and provide updates as new information emerged, while both universities emphasized that they were following the guidance provided by Canvas and Instructure regarding the ongoing situation. The coordinated actions taken by the affected institutions aimed to limit further exposure and maintain transparency with students, faculty, and staff throughout the incident.
