On Thursday, May 7th, 2026, halfway through his game design class, senior Daniel Garcia Ruiz was idly sitting in class. Near him, a student in his class decided to log into Canvas, the platform that both Santa Ana Unified School District and Santa Ana College (SAC), as well as thousands of schools nationwide, use to host and grade assignments. Suddenly, they were met with a surprising sight.
On that day, Instructure, the parent company of Canvas, was subject to a ransomware attack involving data that reportedly affected around 9,000 schools worldwide and 275 million individuals. Amongst the districts affected were the Santa Ana Unified School District and Rancho Santiago Community College District. The hack itself concluded on May 11th with the announcement that Instructure paid an undisclosed amount to the group in exchange for data not being leaked, but between the start and end of the attack, there was much disruption at both Middle College High School and SAC for both students and staff.
As Garcia Ruiz recalled, when the classmate opened Canvas, they were met with the revelation that the platform had been hacked.
“One of my classmates was like ‘Oh my days, when I try to duplicate this [Canvas] tab, it shows me this ShinyHunters thing. I think Canvas got hacked,’” Garcia Ruiz said.
The hack, along with holding data for ransom under the threat of being leaked, briefly shut down access to the platform. Instead of seeing the site, users were instead shown a ransom threat by the perpetrators, hacking group ShinyHunters. The hack followed an initial attack on April 25th that was later reported as being resolved on May 1st. Using a vulnerability in the Canvas Free-for-Teachers accounts, the hacking group was able to obtain items such as usernames, email addresses, course information and messages. Items such as passwords, grades and personally identifiable information, like social security numbers and dates of birth were not obtained.
Immediately following the revelation that Canvas was hacked, Garcia Ruiz’s class had to improvise with what they could work with.
“We were just working on whatever we had available outside of Canvas, so any existing Google Docs, any game design projects, any stuff like that,” Garcia Ruiz said.
This also applied to college classes that were in session. For SAC freshman Johnny Trine, he was in the middle of a lecture when Canvas was hacked. Fortunately, the professor was able to quickly adapt.
“My professor, she was about to pull up the lecture slides on the projector, but then she couldn’t access Canvas… so she just switched back to the whiteboard,” Trine said.
For AVID teacher Thu Nguyen, she was able to adapt as she had already prepared for scenarios in which the Internet was unavailable due to previous issues.
“The first thing I did was I took it in stride because these things happen. Our district is not unfamiliar with the idea of the net being down, WiFi not working, so I am not completely co-dependent. Most of my resources, I have either a hard copy or my own Google drive, and I do compensate because there are other ways to fill a lesson without having people stare at a screen or look at an open PDF or Google Doc,” Nguyen said.
However, for SAC math & computer science professor Dr. George Sweetney, he was greatly disrupted as he had upcoming plans for classes that involved Canvas. While he was not using Canvas when the hack first occurred, he was forced to extend many assignments.
“I wasn’t immediately on [Canvas], but I had plans for what I was going to be doing on Thursday and Friday, and then I wasn’t able to do it. So a lot of grading, and I had to get information out to students. They had to turn things in, so like, for example, there were a lot of assignments I had to open up for longer because students couldn’t actually upload them,” Sweetney said.
Services that relied on Canvas to function, such as SAC’s Learning Center, were especially affected. Trine, who works there, shared how it was affected and how the Learning Center responded.
“The Learning Center, they were able to email the Zoom link [to access it virtually]. Before the hack, you would have to log into Canvas to access the Zoom link, but after the hack, the Learning Center emailed the link to students… DOTAs [Directed Online Tutoring Assignments] would have been affected, because they’re on the Canvas and people need to access those,” Trine said.
As a student, though, Trine was grateful for the extensions. Since he was physically incapable of doing assignments, he felt relieved to be able to take a short break, which was thanks in part to his professors’ adaptability.
“I was like ‘Free extension! Woo hoo!’, and that’s about it. I was pretty excited… it wasn’t stressful. My professors, they adapted really quickly. They found another solution to show contents in lectures,” Trine said.
Garcia Ruiz, who takes three college classes along with his standard high school classes, shared the same sentiment, as he viewed the extensions as a way to relax for a bit after a stressful semester.
“It was a very well-deserved break. I’ve been stressing very hard over my college classes, so I definitely appreciated the break,” Garcia Ruiz said.
However, Garcia Ruiz was not able to fully relax. One of his professors refused to extend an upcoming assignment, citing the fact that Canvas was not technically required to complete it.
“He was like ‘Oh, Canvas is down. That’s too bad. You can still research.’ So he sent us the assignment via email,” Garcia Ruiz said.
On May 8th, Santa Ana College, following the advice of the State Chancellor’s Office and the California Community Colleges Security Center, decided to require multi-factor authentication to log into Canvas. This caused issues with logging-in with some people, which included junior Eddie Martinez.
“I lost my ability to log into Canvas even when it was fixed, because it asked for an authorization code that I didn’t have. The issue was that it just didn’t give me the code. It didn’t give me the option, so I was just logged out for, like, two weeks? Three weeks?,” Martinez said.
Even when Martinez sought help, he was still unable to log-in due to an overloaded IT department and had to resort to school counselors for assistance.
“I went to talk to the counselors, they were able to help me, but one thing that was really annoying is that the SAC number they gave us for the IT was really busy, and they never responded even though it’s been three days. So, I went to talk to [Mrs.] Quinonez, and she was able to fix it in, like, less than 30 minutes,” Martinez said.
Multi-factor authentication was welcomed by Sweetney, though, as he viewed the extra protection as a necessary change that should have been implemented before.
“It was a long time coming. We probably should do that. It should be on Self-Service. I think generally, your Self-Service, your Instructure, anything that you have going through SAC should be probably multi-factor authentication, and, y’know, it’s a lot more security on anything where it’s easy to grade,” Sweetney said.
The new policy, however, had its skeptics, which included Garcia Ruiz. He shared a concern that using multi-factor authentication would end up potentially sharing more information to the hackers.
“It’s actually so stupid, ‘cause it’s like ‘Oh, you just got hacked? Yeah, let me give you more of my information. I’m sure nothing bad will come from that,’” Garcia Ruiz said.
However, Sweetney viewed no security issues with using multi-factor authentication as the authentication was separate from Canvas.
“You utilize an authenticator or you get something into your phone in order to get access to the actual Canvas parts. That’s a good thing, I think inevitably, given the fact that we all depend on that security,” Sweetney said.
Santa Ana Unified School District announced on Friday, May 8th, that as a precautionary measure, they would disable access to student Google accounts and access to Canvas until Monday and Wednesday of the following week respectively. Due to this lock, students such as Martinez who relied on their Google account to log into their school computers were worried.
“It was stressful. I was still able to [log in] since my Chromebook was not locked out and it still had my account on there, so I was able to do it. But if you really think about it, it was like one second, it could be locked out, and the next, you no longer have access to your Chromebooks at all,” Martinez said.
SAUSD also forced Google accounts to prompt a password reset when attempting to be logged into, which, like multi-factor authentication, caused trouble amongst students and staff, including Nguyen.
“They did send out a Q&A of ‘This is what you need to do, this is what you need to do,’ but then we followed through, and it wasn’t completely efficient. I reset my own passwords, like, three times, and it worked finally, but it wasn’t exactly how they thought it would pull out, and I think afterwards, a lot of students still had trouble resetting their passwords,” Nguyen said.
As for Instructure paying the ransom to the hacking group, Sweetney predicted that the decision would close the immediate threat of data being leaked and the disruption that the hack caused.
“Sometimes, there is no other choice, right? Y’know, you take a hard line on this kind of thing, and since their data gets out there, it’s a really big problem for Canvas. For students, it’s a hard problem, so sometimes, paying the ransom is the smartest thing to do… For ShinyHunters, it is in their best interest if Canvas pays the ransom to not, in fact, put out the data, because if the data gets out there, and they have an attempt to ransom somebody else, the next person will just be like ‘No, we’re not paying you ever. You’re going to put it out there no matter if we pay your ransom or not, so forget it,’ and then, hence, they no longer have any credibility at all,” Sweetney said.
