A number of public schools and colleges across Virginia appear to be having issues on Thursday with Canvas — an online tool used by education institutions — possibly in regards to a malicious data breach.
A message from the purported hackers, who call themselves "Shiny Hunters" — possibly a Pokemon reference — said: "If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement. You have till the end of the day by 12 May 2026 before everything is leaked."
Watch related: Unsolicited packages could mean your personal data has been compromised
The message then had an attached list, which named a number of Virginia school systems:
- Virginia Beach City Public Schools
- Chesapeake Public Schools
- Mathews County Public Schools
- Isle of Wight County Public Schools
- Accomack County Public Schools
- Virginia's Community Colleges
- Old Dominion University
- Regent University
- Christopher Newport University
- Virginia Commonwealth University
- University of Virginia
- Virginia State University
- Eastern Virginia Medical School
- Hampton University
- Colonial Williamsburg Foundation
Shortly after the message appeared for some Canvas users, the systems were inaccessible. A member of the News 3 team got the following error notification when they tried to log into their Canvas account:
Virginia Beach City Public Schools notified families and staff about a "cybersecurity incident involving unauthorized access to certain student and staff information" in regards to a Canvas data breach. In their message, they said the incident may have happened in late April, and that it was first reported to them on May 1.
In an update on their website, parent company Instructure confirmed the data breach happened on April 29 and involved certain personal information of users including names, email addresses, student ID numbers, and messages among Canvas users.
Instructure says no evidence has been found that passwords, dates of birth, government identifiers, or financial information were involved. They also have not found evidence that data was taken in Thursday's incident, and said they will continue to investigate and share more as findings are verified.
Watch related: FBI warns public about AI-generated voice messages impersonating US officials
VBCPS says impacted students will not be penalized for missed assignments. They also said the Virginia Department of Education, Virginia Fusion Center and legal counsel have been contacted.
In a statement shared Friday, Norfolk Public Schools says they have restored their Canvas access. They emphasized that sensitive information was not breached as a result of this cyberattack, adding that they did not receive a ransom note. Non-digital methods of instruction were adopted as temporary alternatives.
Instructure sent News 3 the following statement Friday morning:
“Yesterday, Instructure discovered the unauthorized actor involved in our ongoing security incident made changes to the pages that appeared when some students and teachers were logged in. Out of an abundance of caution, we immediately took Canvas offline to contain access and further investigate. We have confirmed that the unauthorized actor exploited an issue related to our Free-For-Teacher accounts. As a result, we have made the difficult decision to temporarily shut down our Free-For-Teacher accounts. This gives us the confidence to restore access to Canvas, which is now fully back online and available for use. We regret the inconvenience and concern this may have caused.”
Instructure says law enforcement including the FBI, U.S. Cybersecurity and Infrastructure Security Agency, and international law enforcement partners have been notified.
Instructure is sharing updates and FAQs here.
Click here to see how we use AI at WTKR News 3.
