Home Education 3 Space Coast Institutions Hit by Canvas Cyberattack; BPS, Florida Tech, and EFSC

3 Space Coast Institutions Hit by Canvas Cyberattack; BPS, Florida Tech, and EFSC

Robert W. Burns III
-
0
3 Space Coast Institutions Hit by Canvas Cyberattack; BPS, Florida Tech, and EFSC

Brevard Public Schools has disabled student access to the Canvas learning management system as a precaution after a worldwide ransomware attack on Canvas’s parent company, while Florida Institute of Technology has urged all of its Canvas users to reset their passwords and Eastern Florida State College has displayed a service outage notice on its website without addressing the underlying cybersecurity incident.

All three Space Coast institutions are caught up in what may become one of the largest education-sector data breaches in U.S. history. The cybercrime group ShinyHunters claims it stole roughly 275 million records tied to students, teachers, and staff across nearly 9,000 schools and universities worldwide by breaching Instructure, the Utah-based parent company of Canvas. The hackers have threatened to publish the stolen data on May 12 if Instructure does not pay a ransom.

Brevard Public Schools: Access disabled, no compromise found

In a statement provided to The Space Coast Rocket on May 7, a Brevard Public Schools spokesperson confirmed the district is responding to the incident and has taken Canvas offline.

“We are aware that a nationwide cybersecurity incident involving the Canvas Learning Management System occurred earlier this week,” the BPS statement reads. “As a pre-caution, Brevard Public Schools has disabled access to Canvas while the vendor works to resolve the issue. Communication has been shared with all families and staff. At this time, there is no evidence that any Brevard Public Schools systems or district data have been compromised.”

Brevard Public Schools appears by name on the leaked list of impacted institutions published on the ShinyHunters dark web data leak site, alongside Princeton University, Cincinnati Public Schools, Cal State Chico, the University of California Berkeley, and thousands of other K-12 districts and universities worldwide. Both Florida Tech and Eastern Florida State also appear on the leaked list of impacted schools by name.

Florida Tech: “Reset your passwords”

Florida Tech’s Office of Information Technology took a different approach, telling all Canvas users in a May 7 email that a worldwide security incident is under way and that, “as a precautionary measure, all Canvas users are strongly encouraged to reset their passwords.”

The OIT email, shared with The Space Coast Rocket by a recipient, says the university is monitoring communications from Instructure and evaluating any potential impact on Florida Tech services. “At this time, Florida Tech has not received any indication of a direct impact to our campus beyond certain third-party software becoming inaccessible due to Canvas’ response to the incident,” the email reads. The university said Turnitin, the plagiarism-detection and assignment-submission service used by faculty across its programs, is currently not functioning.

The Turnitin outage during final exam week creates an immediate problem for instructors trying to grade papers and students trying to submit them. The password reset directive, applied to every Canvas user across Florida Tech’s three Instructure-hosted instances, is a tacit acknowledgment that the university views the credential exposure risk as real, even as it publicly states no direct impact has been detected.

Florida Tech operates fit.instructure.com for the main Melbourne campus and most online programs, floridatech.instructure.com for Florida Tech Online, and floridatechce.instructure.com for Continuing Education on-demand courses. All three run on the same Instructure backend that ShinyHunters claims to have breached.

Eastern Florida State College: Outage banner, no statement

Eastern Florida State College has displayed a service outage banner across multiple pages of its website, including the Eastern Florida Online enrollment page, the Student Accounts page, and the Class Schedule Search page. The banner reads: “Canvas is currently experiencing a service outage. We are monitoring the issue and will share updates as available,” and links users to Instructure’s own status page.

The college has not, as of publication, issued any public statement on the cybersecurity incident, told students or faculty whether their data may have been exposed, or recommended any precautionary action such as a password reset. The Space Coast Rocket has reached out to EFSC’s communications office for comment. (Update: EFSC provided the following statement. “College leadership is aware of an issue involving Instructure, the company behind Canvas, our EFSC online learning system. Our IT team has been working diligently to determine the extent of the problem as it relates our college. At the present time, Instructure has not confirmed whether EFSC was among the institutions impacted. We are actively awaiting further details and will share updates with you as soon as they become available.”

EFSC operates a Center for Cybersecurity and Digital Forensics and runs a cybersecurity degree program that the college markets as an employment pipeline for the Space Coast’s information technology sector. The Rocket has asked the college whether its cybersecurity faculty have been consulted on the institution’s response and whether the college will provide guidance to students and staff.

What was taken

Instructure Chief Information Security Officer Steve Proud said in a May 2 statement that the data involved in the attack included names, student ID numbers, messages between users, and email addresses. Proud said there was no evidence that passwords, dates of birth, government identifiers, or financial information were involved, but cautioned the company would notify impacted institutions if that changed.

ShinyHunters tells a different story. On its leak site, the group claims it stole roughly 275 million records across 8,809 school districts, universities, and online education platforms, along with what it describes as billions of private messages between students and teachers. The group also claims to have breached Instructure’s Salesforce instance, suggesting additional data beyond Canvas itself may be in hand.

“Pay or Leak”

The attack began on or about April 30. By May 3, ShinyHunters had posted a ransom note giving Instructure until May 6 to negotiate, warning the company to “make the right decision” and avoid becoming “the next headline.” Instructure appears to have refused to pay.

On May 7, the hackers struck again, defacing the Canvas login pages of multiple schools by injecting an HTML file that altered the login screens to display a new ransom message. That message moved the deadline to May 12, threatening to publish the full dataset if Instructure does not negotiate a settlement.

Instructure’s own status page has at times returned a “too many requests” error as schools and students hammered the system trying to determine whether their data was exposed.

The bigger picture

ShinyHunters has had a busy 2026. Cybersecurity outlets have tied the group to recent breaches at the University of Pennsylvania, Princeton, and Harvard, as well as to a March attack on Infinite Campus, a K-12 student information system used in many Florida districts, that compromised data on roughly 11 million students. The group has also targeted Cisco’s Salesforce instance, Dutch telecom Odido, the European Commission, Amtrak, and the fintech firm Figure.

Canvas is used by roughly 41 percent of higher education institutions across North America, which is why a single vendor breach has cascaded into what may become one of the largest education-sector data exposures in U.S. history. The 2024 PowerSchool breach, by comparison, affected approximately 60 million students. The ShinyHunters claim of 275 million records, if accurate, would dwarf it.

Cybersecurity experts have warned that the most immediate risk to students, parents, and staff is targeted phishing. With access to real names, school email addresses, course names, and even fragments of teacher-student conversations, attackers can craft messages that reference real assignments, real instructors, and real classes, making them dramatically harder to spot than generic scam emails.

What students and parents should do now

Florida Tech’s own guidance is the simplest place to start: reset your Canvas password. Beyond that, cybersecurity researchers recommend the following:

  • If you reuse the Canvas password on any other account, change those passwords as well, and use a unique password for each account going forward.
  • Be extremely skeptical of any email, text, or message claiming to be from Canvas, Instructure, the school district, or any of the three institutions that asks you to “verify” credentials, open attachments, or pay fees.
  • Verify any suspicious notice by going directly to the institution’s official website or calling a known phone number, not by clicking links in messages.
  • For minors, parents may want to consider placing a credit freeze on the child’s file as a precaution, even though Instructure has so far said no Social Security numbers or financial data were involved.

The Space Coast Rocket will continue to follow this story and will publish updates as Eastern Florida State College responds, as Brevard Public Schools clarifies the gap between its assessment and the hackers’ claim, and as Florida Tech and Instructure release additional information.

Previous article Arrests in Brevard County: May 6, 2026 – Suspects Presumed Innocent Until Proven Guilty
Robert W. Burns III
https://thespacecoastrocket.com
Robert W. Burns III is the founder and editor-in-chief of The Space Coast Rocket, an independent news and investigative journalism publication covering Brevard County, Florida. A retired U.S. Army veteran and Melbourne High School graduate, Robert returned to his Space Coast hometown after his military service — which included a combat deployment to Iraq, where he served on a Military Transition Team training Iraqi forces during the country's first democratic elections. Robert founded The Space Coast Rocket in 2019 after discovering that significant local corruption stories were going unreported by established outlets. His investigative reporting has broken major stories in Brevard County, including the David Isnardi Palm Bay corruption case, and his extensive coverage of Florida politician Randy Fine has been picked up by national media outlets. His beats include Brevard County government, Palm Bay city hall, Space Coast crime and courts, Florida state politics, and investigative reporting on public corruption and government accountability. Beyond journalism, Robert has led several humanitarian relief efforts across the country, including organizing and personally delivering a truckload of emergency supplies to San Antonio, Texas during the February 2021 winter storm crisis — work that was covered by both San Antonio and Orlando media. He has also coordinated community-driven disaster response after multiple hurricanes affecting Florida's Space Coast. Robert is President of The Relentless Group and owner of The Social Wizards, a digital marketing and social media agency. He is also the founder of Tourniquets for Teachers, a nonprofit dedicated to training teachers and school staff in life-saving bleeding-control techniques to prepare for active-shooter emergencies in schools. He holds professional certificates from Harvard Business School in strategic planning, leadership, and communications, and is currently pursuing a Master's in Journalism at Harvard University. A proud father of three, Robert is known across the Space Coast for his fearless reporting, his commitment to community service, and — by his own admission — telling some of the worst dad jokes in Brevard County.