Jason WhitacreOver two weeks ago, students and faculty were locked out of the Canvas educational program by the ShinyHunters black hat hacker group. Some students are still struggling to find access to their coursework despite efforts to expand data privacy safety and 24/7 technical support. Academic Senate Chair Claire Coyne and Vice President of Academic Affairs Dr. Jeffrey Lamb have asked faculty members to extend deadlines for student assignments while issues persist, yet many students have claimed this grace period has not been provided.
On Thursday, May 7, students and faculty at Santa Ana College were informed that the hacker group had breached educational technology company Instructure. Instructure’s Canvas learning management system was crippled for 9,000 universities and community colleges across the world, and the group was demanding financial compensation from Instructure or face a leak of sensitive information from countless college students, teachers and faculty.
Problems didn’t begin on May 7, however, as the invaders took their time to cripple the California school system.
“A week before that Thursday, a few of us did know that there was a hack for Canvas.” Library Technology Chair Jaki King said, listing off several department acronyms, including Information Technology Services, the Distance Education office, Continuing Education and others.
King continued: “At that time, Instructure was telling us this had happened, we’ve patched it, we’ll get you more details, but it might take a few months. We weren’t trying to cause a panic; all we knew at that time was that names had been hacked.”
Instructure claims they detected unauthorized activity on Canvas on April 29, before the May 7 Canvas hack. That’s when students across the world, including SAC, began to report an image straight out of a cyber horror film with a web address to impacted schools, and instructions on how to make contact with the black hat hacking collective.
Emerging in 2019, ShinyHunters has claimed responsibility for several major hacks, with the only connection being financial incentive. This is not the altruistic “hack the planet’ philosophy of Matthew Lillard’s Hackers film.
ShinyHunters specializes in exploiting system vulnerabilities for malicious purposes. Having breached the private data stored by large companies such as Google or Microsoft, as well as seemingly innocuous systems like educational MMO game Animal Jam, and now another far-reaching company, Instructure.
A publicly available incident fact sheet released on May 14 from Instructure and directed at users of their Parchment product, claims: “We know the actors responsible for this incident took data from the Canvas platform. We believe the information involved included information like usernames, email addresses, course names, enrollment information and messages.”
Acquired by global investment firm KKR in 2024 for $4.8 billion — in a deal involving investment group Dragoneer — Instructure was taken out of public trading and moved into private ownership, placing the company in the same group as a myriad of other industries, ranging from entertainment to housing.
“As investment firms expand their digital footprint and manage increasingly complex portfolios, threat actors have begun to exploit the convergence of finance, technology and trust,”according to the website for security firm Thomas Murray Cyber.
During a time when private information is increasingly used against our friends and neighbors, how safe that information really is and what agreements may have been made with ShinyHunters by Instructure is up for question. While passwords and banking information are said to have remained safe from technological weaknesses, those messages are full of potential personal vulnerabilities.
“It was quite terrifying. All of my information is on the app itself,” said psychology major America Cruz. “I wish that some professors would have been more understanding when it comes to extending assignments or reaching out towards students because a lot of them did not until the last minute.”
Cruz is not the only student to report this lack of deadline sensitivity by SAC professors in the wake of the breach, which Jaki King and the Vice President of Academic Affairs, Dr. Jeffrey Lamb, claim conflicts with administrative requests.
“We had really good people giving really good input to solve the problem,” Dr. Lamb said. “As an administrator, I can only ask or recommend leniency…to give people the flexibility of the grace of time, because it’s outside of everybody’s control.”
ShinyHunters gave a May 12 deadline for an agreement, before potentially sensitive data would be released. A statement on the Instructure website said they had “reached an agreement with the unauthorized actor involved with this incident.” Though no ransom figures have been released, Instructure has reported that digital confirmation of data destruction was given. They also claimed that, per the deal made, “no Instructure customers will be extorted as a result of this incident, publicly or otherwise.”
In 2024, Instructure began beta-testing its AI tools, which they offered free of charge, with a slow rollout that helped prevent errors and bugs. In 2025, the company announced a strategic partnership with OpenAI.
“They offered it for free, for a while, to get people to use them. Now, in June, you have to start paying for them.” King said, “They started rolling out new features, and they were buggy. They used to not do that, they used to slowly roll things out and beta test them until they worked.”
With the increasing speed of technological releases that often place profits over personal responsibility, concerns about digital vulnerability are reasonable. So how does one protect themselves?
Keep passwords up to date and hard to guess. Always check the email addresses in your inbox before clicking on any links and watch out for out-of-place requests.
Utilize multifactor authentication when possible. SAC opened up multifactor authentication as a result of this incident. While the rollout was initially intended for over the summer, with less burden on tech support staff, the necessity for extra security was clear.
“It’s a very real thing to stay ahead of cyber threats,” Dr. Lamb said. “Efforts are being made to do that within our system, and to beef up security with multifactor authentication. It is something that we had been hesitant to use, primarily because it’s one more thing for a student to do before they can enroll. We try to remove those barriers, and this felt like one, so we added multi-factor authentification.”
While there will be further efforts to communicate with professors about how to move their courses off of Canvas if necessary, in the end, much of our data remains vulnerable to Instructure’s own security measures.
“Canvas is the last thing I assume anybody would try to hack. I do hope that because of this situation, the company will take the sensitivity of its security seriously.” Cruz said.
