The Text Was Just a Picture of a Screen
It was 1:10 PM Pacific yesterday.
I was at my desk running a security scan on our team’s GitHub Actions runners — the GitHub-hosted ones, not self-hosted — going through the kind of checklist you run after a bad month and a CVE. My phone buzzed. It was a text from one of the instructors at UW.
No words. Just a picture of her screen.
The screen was black. The header read SHINYHUNTERS. Underneath it: “rooting your systems since ’19 ;)” And the body text said ShinyHunters had breached Instructure again — meaning Canvas — and that if any of the schools on the affected list wanted their data not to leak, they had until end of day on May 12, 2026 to negotiate privately.
There was an IP. There was a .onion address. There was a download link for a file called affected_schools_list.txt.
I stared at it for about four seconds. Then I knew exactly what had happened.
Canvas — the system every grade, every assignment, every internal message, every roster of every student at this university lives on — was being ransomed. And not just our university’s. Every university running it.
I Slacked Don. Then I Slacked the eScience team channel. By the time I’d typed the second message, the news was already starting to spread.
By this morning, the number was public. 275 million students and teachers.
I started writing this in the middle of the night. Canvas access has been restored on campus. That’s not the same thing as the data being safe. The data has already left the building.
I want to walk you through what actually happened — not as a news report, because the news has done that — but as the explanation I keep wanting to give people. About what ransomware actually does while you’re reading the note. About what the encryption underneath your everyday life is supposed to do for you. And the part that doesn’t get said enough — the strange, humbling math problem the whole story leans on.
Because if you’re a developer, you probably know most of these pieces. Knowing them in isolation isn’t the same as seeing how they all fit together when one of them fails. Let me try to put them in the same room.
What Actually Got Stolen
A quick orientation, because Canvas isn’t every reader’s daily problem.
Canvas is the learning management system run by a company called Instructure. It’s the dashboard where professors post assignments, where students submit work, where grades live, where the inbox between you and your TA sits. Nearly nine thousand institutions globally use it. Most of the Ivy League. MIT. Oxford. Harvard. Penn. Duke. Most public universities you can think of in the US.
What ShinyHunters claims to have, according to their own statement and confirmed in early reporting, is the connective tissue. Names. Email addresses. Student ID numbers. Internal messages between users.
What Instructure says was not taken: passwords. Dates of birth. Government IDs. Financial information.
I want to honor that distinction, because it matters. The breach is bad. It is not maximally bad. If you went to a US university in the last decade, your name and email being on a list maintained by an extortion group is unpleasant — it isn’t identity theft material on its own.
But the messages part is where it gets uncomfortable. Internal Canvas inbox content includes private conversations between students and instructors. Mental health disclosures. Disability accommodations. Grade disputes. The kind of correspondence you sent in 2017 when you were nineteen, and never thought about again.
That’s the part that doesn’t have a clean privacy bound. And that’s the part that makes “double extortion” — which I’ll get to in a minute — actually work.
What Ransomware Is Doing While You’re Reading the Note
Here’s where I want to slow down, because most of the public coverage skips the mechanics. And the mechanics are the part that helps you reason about what’s recoverable and what isn’t.
A ransomware attack happens in roughly five movements. Let me walk you through them.
The first move is always getting in. Phishing email, an unpatched vulnerability, a credential bought off another breach, a vendor in the supply chain who’s been compromised for weeks without anyone noticing. ShinyHunters has historically favored credentials lifted from third-party SaaS — Snowflake instances, Salesforce orgs, the integrations a company plugs into the platform but doesn’t think of as part of the platform. We don’t yet know exactly how Instructure was hit this time. The first detail you usually find out months after a breach is the part the company least wants to discuss.
Once they’re inside, they don’t smash anything. They walk around. The malware maps the network — what services exist, which machines have which permissions, where the backups live, which boxes have privileged access to other boxes. This part takes hours, sometimes days. Good defenders catch attackers here. Most defenders don’t get a chance to.
Then comes the move that matters most for this story: copying the data out. Modern ransomware doesn’t just encrypt your files anymore — it copies them off, to a server the attackers control, before anything else happens. This is called exfiltration. The Canvas breach is, by every public account, an exfiltration story more than an encryption story. They got the data off Instructure’s systems. That’s the leverage they’re holding.
Only after the copy is safely off-network do the attackers actually encryptanything. The malware runs, scrambles every file on every machine they reached, replaces them with versions you can’t open without a key the attackers hold. This is what takes a system down. (You’ll notice Canvas access went down at universities — even though Instructure didn’t pay — because either the attackers triggered the lock or because Instructure shut things off defensively. Both look the same to a student trying to upload an assignment at 11pm.)
And finally, the ransom note. A screen, a pop-up, a text file in every directory. It tells you who they are, how to contact them, what they want, and what happens if you don’t. There’s almost always a deadline. The deadline exists for psychological reasons more than technical ones. Hostage logic.
The thing I want you to notice is that step three — exfiltration — happens before the encryption that takes your system down. By the time you see the ransom note, you have already lost the data. The lockup is a separate problem. Even if you restore from backups perfectly, you don’t un-leak what’s already on someone’s hard drive in another country.
That’s the part that matters here. Canvas being back online doesn’t put the data back in the box.
How Encryption Is Supposed to Save You
Now let me back up, because the word “encryption” has been carrying a lot in the last three paragraphs without me explaining what it actually is, and most people I respect have a fuzzy picture of it. Let’s fix that.
There are two kinds of encryption you care about, and they work differently.
The simple one is symmetric encryption. Same key locks the door, same key opens it. Fast, efficient, great for big files. The catch is the obvious one — for me to send you a locked message, you and I need to have the same key, and I need a way to give you that key without anyone else seeing it. If we can meet in person, fine. If we’re emailing, we have a chicken-and-egg problem.
Asymmetric encryption solves that. Two keys instead of one. A public key, which I publish openly — anyone can use it to lock a message to me. And a private key, which only I have, and which is the only thing that can open what was locked with the public one. You don’t need to share a secret with me first. You just grab my public key, lock the message, send it.
The way real systems use these is to combine them. The symmetric key is fast, so you encrypt the actual file with that. Then you encrypt the symmetric key with the recipient’s public (asymmetric) key, and ship both together. The recipient unlocks the small symmetric key with their private key, then uses it to unlock the big file. This is called envelope encryption, and it’s the foundation of TLS, signal protocols, modern messaging — almost everything that keeps your day private in the background.
So when Instructure stores your messages encrypted at rest, and your password hashed, and your traffic over TLS, all three of these mechanics are in play. The encryption almost certainly held. The reason you’re reading about a breach isn’t that the math broke. It’s that an attacker got close enough to the data — through a credential, a vulnerability, a misconfigured integration — that the encryption was unlocked legitimately, by the system itself, while they watched.
Which brings me to the part of the story I keep finding strange.
