Several schools in Mississippi are among roughly 9,000 educational institutions across the U.S. affected by an extortion-centered cyberattack on the widely used technology platform Canvas.
On Thursday, a criminal hacker group called ShinyHunters issued a message claiming that it had breached Canvas’ parent company, Instructure. Schools traditionally use Canvas to manage assignments, grading, and communication between students and educators. Last week, Instructure acknowledged that it had been the target of a “cybersecurity incident perpetrated by a criminal actor.”
The data gathered by hackers included the names of hundreds of millions of users, their email addresses, and even messages. During Thursday’s incident, the hackers displayed a message on Canvas claiming that Instructure had ignored previous demands from ShinyHunters and instead implemented security measures that seemed to fail. The group threatened to leak the data of any school on its list by May 12 unless the institution reached some form of settlement with the hackers.
“ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it, they ignored us and did some ‘security patches,'” a statement from the hackers that popped up on Canvas before being replaced by a maintenance message reads.
“If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm to contact us privately at TOX to negotiate a settlement. You have until the end of the day by 12 May 2026 before everything is leaked.”
The Canvas breach occurred on the first day of final exams at Mississippi State University, leaving many students unable to complete assignments. Concerns have now been raised about the future of final exams, especially for seniors, who have commencement ceremonies next week. At this time, Mississippi State has not outlined its next steps, but has notified faculty and students that updates will be provided when made available.
[Mississippi State University] will never direct users to unverified third-party sites for Canvas-related communications or remediation activities. Out of abundance of caution, users should avoid interacting with or clicking on any links, messages, or content that may be posted by threat actors or appear suspicious,” a release from Mississippi State reads.
“Mississippi State understands the importance of Canvas to teaching and learning activities and recognizes the challenges this outage is causing. We will share updates as additional information becomes available.”
Along with Mississippi State, Mississippi Free Press reports that Delta State University, the University of Southern Mississippi, Mississippi Gulf Coast Community College, the University of Mississippi Medical Center, East Mississippi Community College, Southwest Mississippi Community College, Mississippi University for Women, Mississippi College, and Mississippi Valley State University were targeted. The Mississippi School for Mathematics and Science was also affected by the cyberattack.
