A Ransom Note, Mid-Exam

On May 7, 2026, students and faculty logging into Canvas, the learning management system used by millions across the US, Europe, and Australia, were met with a ransom note. Behind the attack was ShinyHunters, a cybercriminal group that breached Instructure’s systems, exfiltrating 3.65 terabytes of data from nearly 9,000 institutions—including names, email addresses, student IDs, and private messages—before threatening to leak 275 million records unless a ransom was paid. Many US universities found themselves facing the crisis in the middle of finals week.

Aubrey, a meteorology student at Mississippi State University, was mid-exam when the note appeared. Eva, a German language instructor at Rutgers University, learned about it by email.

“When I first saw the ransom note, my knee-jerk reaction was that I had been hacked. Maybe even that there was some anti-cheating popup, since we took the test in a lockdown browser. After a second, I read the note and saw that it was actually Canvas that had been hacked.

In the moment, I wasn’t worried about the hackers, or Canvas, or anything like that. I’d just written nearly 2,900 words for my exam, and I wanted to make sure it wasn’t all lost. That exam felt like I’d just sprinted for three hours.

About half of the class worked right until the deadline, so we all got the ransom popup at the same time when we hit submit. Within about thirty seconds, we were all looking around and realizing each of us had the same message. We started worrying if our work was saved, and I could feel the tension in the room. We chatted for a few minutes, and then awkwardly laughed on our way out as we tried to take in what had just happened. We’re all seniors, and many were concerned with graduation planned in just a few days. Would there be time to handle the changes? I had to leave during the middle of finals week, and I began worrying about having to delay my trip.

Canvas went down at 3 p.m., and we didn’t hear any official communication until three hours later. After getting out of my exam, I planned to immediately begin studying for the next ones—I had an exam at 8 a.m. the next day. I kept refreshing the page, thinking that the platform would soon come back online, but after a few hours, I realized I was going to have to study without being able to access most of the course materials.

Canvas stayed down until just before midnight. I ended up staying up late and waking up extra early the next morning. Then I saw that my school waited until 7 a.m., one hour before exams were supposed to start, to announce that all of Friday’s exams would be moved to Saturday. Canvas came back online at midnight. Nothing had changed in the last seven hours. Why did they wait so long to make a decision?

Having hours to sit and do nothing but worry, I did start to think about just how dependent we are on technology. Are there even any laws that regulate how protected companies have to be against these kinds of attacks? This seems like something I should know in 2026.

The communication was poor. It could only get worse by saying nothing.

As time continued to go on, though, I think there was a moment of online solidarity where students across the country realized we were all in pretty much the same situation. I was messaging my friends at different schools to ask how their school was handling it. I left a comment on Instagram and students from other schools were replying. It felt like we all came together for a minute. Ultimately, our professors allowed us the choice to take our exams as scheduled, or to take them on Saturday. I appreciated the flexibility, and I took my exams as scheduled so that I could leave as planned and start my internship on time.

In meteorology, every weather event has a ‘fail mode.’ For something like a hurricane or tornado, lots of ingredients have to come together in a very specific balance. Just a few degrees of difference here or there can be the difference between a huge storm or a sunny day.

Cybersecurity is the same. Hacks like this hinge on one point being just weak enough to get through. Even if everything else is perfect, one small hole can let a flood through. Rarely, though, is it a small mistake. It's often the difference between night and day.”

Aubrey, meteorology student, Mississippi State University

“I did not see the ransom note. I only learned about the breach from Rutgers University, who sent out an email notifying us that Canvas had been hacked globally. The breach came right during finals week, so classes had already ended. Students were worried about accessing study materials— I sent them via email. 

Because students could not access study materials for about a day, finals that should have taken place on Friday or Saturday were rescheduled for Sunday. The decision to reschedule Saturday exams came Friday night, and I received emails informing me of my new time slot and room allocation at about 8 p.m. When a student had a time conflict with another exam, the scheduling office followed up that same evening and sorted it out.

With the rise of AI, some fields have returned to more analogue ways of learning and testing. A lot of Rutgers exams are returning to blue books, and the German language sequence has paper-based midterms and finals as a rule. Maybe this cyberattack would have hit harder in 2020 to 2022—after COVID and pre-LLMs.

The scale of the incident reassured me in my approach to prepare my classes offline and to only use learning platforms as a sort of data-sharing platform.

I would not have expected learning platforms to be an interesting target for cyberattacks. That changed.”

Eva, German language instructor, Rutgers University