What they're not telling you: # ShinyHunters' Canvas Ransom Deadline Arrives as 9,000 Schools Stay Silent on Breach A ransomware deadline expires tomorrow for 275 million student records, yet most affected institutions haven't notified the students whose data hangs in the balance. The hacking group ShinyHunters breached Canvas, Instructure's learning management platform used by approximately 9,000 schools, and set a May 12 ransom deadline. The stolen data includes names, emails, student IDs, and private messages from major universities including Harvard, Columbia, Princeton, and Georgetown.

Jordan Calloway
The Take
Jordan Calloway · Government Secrets & FOIA

# THE TAKE: Canvas Got Ransomed. Schools Got Silent. Students Got Played. Instructure's Canvas learning platform sits inside 275 million student records. ShinyHunters has them. Tomorrow's the deadline. And your school? Radio silence. This isn't incompetence—it's strategy. Instructure issued a vague "security incident" statement May 8th. Schools copied the script: "We're investigating." Translation: *We're waiting to see if paying works first.* Here's the receipts problem: No school board is racing to notify students about data that *might* leak. Bad optics before ransom plays out. So 275 million people remain unprepared for identity theft while administrators calculate liability like it's a quarterly spreadsheet. ShinyHunters leaked 60 million Mox Martech records in March. Instructure won't confirm whether they paid. But notice the silence *before* payment deadlines always looks identical to this. Students aren't stakeholders in this negotiation. They're collateral.

What the Documents Show

The scope is staggering: a quarter billion records from educational institutions representing millions of individual students across North America and beyond. Yet according to available reporting from the r/privacy community, most schools have maintained public silence about the breach and its implications for their students' personal information. Instructure brought the platform back online following the breach, but the company has not publicly confirmed whether a ransom was paid to ShinyHunters or what negotiations, if any, transpired behind closed doors. This opacity creates an information vacuum where students and families are left guessing about the status of their data. The absence of transparent communication from Instructure or individual institutions suggests either ongoing negotiations with the threat actors, internal uncertainty about breach scope, or a deliberate choice to minimize public alarm—none of which serve the interests of affected students.

🔎 Mainstream angle: The corporate press either ignored this story entirely or buried it in a 3-sentence brief. The framing, when it appeared at all, focused on process rather than impact.

Follow the Money

The mainstream narrative around ransomware typically frames these incidents as technical problems requiring corporate response, overlooking the human cost and the perverse incentive structure such breaches create. When major institutions can absorb ransom payments as a business expense while remaining largely silent to the public, it normalizes extortion as a cost of operations. Schools have little incentive to rush transparency when doing so triggers mandatory disclosure obligations, potential regulatory scrutiny, and reputational damage. The students whose private messages, emails, and identifying information are at stake have no seat at this negotiating table. The May 12 deadline represents a hard stop. If ShinyHunters follows through on threats, 275 million records could appear on the dark web or be sold to other criminal actors.

What Else We Know

Once released, this data becomes a permanent resource for identity theft, social engineering, and targeted harassment. Student IDs paired with names and email addresses are particularly valuable because educational institutions often use predictable password reset mechanisms. Private messages may contain sensitive information about mental health, financial struggles, or other vulnerabilities that bad actors can weaponize. For ordinary people, this moment illustrates a broken system: institutions holding vast amounts of personal data operate under minimal accountability until a breach forces their hand, and even then, disclosure is grudging and incomplete. Students at Harvard, Columbia, and thousands of other schools should have received detailed notification about what data was exposed, what safeguards failed, and what monitoring they should undertake. The silence suggests they won't.

Primary Sources

What are they not saying? Who benefits from this story staying buried? Follow the regulatory filings, the court dockets, and the FOIA releases. The truth is in the paperwork — it always is.

Disclosure: NewsAnarchist aggregates from public records, API feeds (Federal Register, CourtListener, MuckRock, Hacker News), and independent media. AI-assisted synthesis. Always verify primary sources linked above.