That was the first sign in Raleigh that something had gone very wrong. By the end of the day, every public school district in North Carolina was offline. The people who pulled it off? A loose crew of teenagers. Here's how it actually went down.
Last week we wrote about a 12:05 a.m. encryption run in Ardmore, a Carolina clinic letter that took a year to mail, a school wire that left town and never came back, and a Fargo law firm that handed Akira 144 gigs without noticing. Five clocks. Five lessons.
This week the pattern shifts. The technology kept working. The trust didn’t. A free teacher account became a doorway into 8,809 schools. A pharmacist’s badge swipes finally got matched against a USB log eight years too late. A ransomware negotiator turned out to be the guy holding the keys.
If you run a dental office, a law firm, a clinic, or a town hall, the question after you finish reading isn’t whether your firewall holds. It’s whether the people on the other side of every relationship you trust are who you think they are.
01 // THE_FINALS_WEEK_HEIST
A few miles down the road in Raleigh, Jake Howland was getting an email from his kid’s school. Cybersecurity incident. Don’t click anything. Don’t try to access Canvas through any other links. He told ABC11, “It does bring in the question, you know, what the security is really like.” Same afternoon at NC State, student Jackson Stokes was telling the same reporter, “It just makes me concerned for what data could be out there.”
By 5 PM, Wake County had pulled the Canvas icon out of WakeID entirely. Will Burgess, a Wake County teacher and parent, summed up what every parent in the Triangle was thinking. He told WRAL the tool being down with finals coming up wasn’t his biggest worry. “I’m more concerned about my personal information, if it’s been accessed.”
By that evening the North Carolina Department of Public Instruction made the call. Kill Canvas access through NCEdCloud entirely. Wake County. Charlotte-Mecklenburg. Cabarrus. Union. Pitt County. Guilford. Every public K-12 district in the state. Locked out. Down at ECU, students walking across the commencement stage in Greenville couldn’t pull up their grades. Duke, UNC, NC State, NC Central, Fayetteville State, UNC Charlotte. All scrambling. The hack that lit up Harvard and Princeton and the University of Washington that same afternoon had landed right in our backyard.
The ransom note had a deadline. May 12. Pay up or watch 275 million records hit the internet. Names. Email addresses. Student IDs. Billions of private messages between students and teachers. 8,809 schools on the list. NC has been all-in on Canvas since 2015 when the state Department of Public Instruction made it the standard for every public K-12 school. One vendor. Every school. One breach. Every kid.
Here’s the part that should make every business owner reading this stop and pay attention. The crew that pulled this off isn’t a Russian state-sponsored APT. It isn’t North Korea. It’s a loose group of teenagers and twenty-somethings scattered across the US and UK, working remotely. The same crew behind the 2024 Ticketmaster hack that exposed 560 million people. They call themselves ShinyHunters and they’ve been running a playbook so simple it’s embarrassing: call somebody at the company on the phone, talk like IT, get them to click a link or hand over a code, and walk out with the keys.
// THE_TIMELINE
April 29: Initial intrusion. Instructure detects unauthorized activity in Canvas.
May 1: Instructure publicly confirms a “cybersecurity incident.” Says it’s contained.
May 3: ShinyHunters posts to a leak site. Claims 275M records, 8,809 schools.
May 6: First ransom deadline passes. Instructure does not pay.
May 7, 1 PM ET: Canvas login pages worldwide replaced with the ransom note.
May 7, evening: NCDPI cuts Canvas off NCEdCloud statewide.
May 8: Canvas restored. Free-For-Teacher program permanently shut down.
May 12: Extended ransom deadline. Tomorrow’s tomorrow.
The way they got in this time wasn’t social engineering. It was a free product tier. Instructure runs something called the “Free-For-Teacher” program. Anybody who claims to be a teacher gets a Canvas account. No school district vetting. No district-level admin approval. The trust boundary between those free accounts and the production Canvas environment was supposed to be airtight. It wasn’t. ShinyHunters got in through that gap, then pivoted to API keys and service-level credentials that gave them visibility into roughly half the higher education institutions in North America.
Instructure says no passwords, no dates of birth, no social security numbers, no financial info. That’s the good news. The bad news is what they did get: every student name, every parent email, every student ID, and every private message a teacher ever sent a kid through Canvas. That’s a phishing goldmine. A scammer who knows your kid’s name, your kid’s school, your kid’s teacher, and the exact wording of how that teacher communicates can write an email that fools you in three seconds.
And this is the second time in eight months that ShinyHunters has hit Instructure. The September 2025 attack came in through their Salesforce environment using the voice phishing playbook. They got told no, they got patched out, and they came back through a different door. That’s the part nobody wants to say out loud. If a vendor gets breached and doesn’t fundamentally change how they operate, the same crew comes back. ShinyHunters even said it themselves in the ransom note. Word for word.
“Instead of contacting us to resolve it they ignored us and did some ‘security patches.’”
— SHINYHUNTERS RANSOM NOTE
Now NC schools are stuck deciding what to tell parents. Districts are issuing the standard “be vigilant about phishing” advisories. The FBI is telling people not to engage with anyone claiming to have their kid’s data. And the May 12 deadline is sitting there like a countdown clock.
▸ WHAT_TO_DO_NOW
If your kids are in any NC public school, assume their info is in this breach. Treat any email, text, or call that mentions your kid’s school, teacher, or grade as a phishing attempt until you verify it through a known-good channel. Don’t click links from “the school.” Call the front office. If you run a business and use any SaaS platform that holds customer or student or patient data, ask the vendor today: do you have a free or self-service tier that connects back to my production environment? That’s the trust boundary that just blew up Canvas. It’s the one that’s gonna blow up the next platform too.
02 // THE_THREE_DAY_PATCH_ORDER
Read that sentence again. CISA, the federal cybersecurity agency, told every government agency they had until May 9 to fix a hole in their internet-facing firewalls. And Palo Alto Networks, the vendor, isn’t shipping the patch until May 13. The math doesn’t math. That’s how serious this one is.
The bug is CVE-2026-0300. It’s in the User-ID Authentication Portal feature, which is the captive portal a lot of small businesses use to authenticate guest wifi or VPN logins. An attacker who can reach that portal over the internet, which by definition includes everyone on earth, can send a single crafted request and get root access to the firewall. No login required. No exploitation chain. Just send the packet, own the box.
Palo Alto’s threat research team caught the first attempts on April 9. They were unsuccessful. A week later somebody figured out the working exploit and the activity went live. The team attributes it to a state-sponsored cluster they’re tracking as CL-STA-1132. Once inside the firewalls, the attackers were dropping tunneling tools, enumerating Active Directory, and running SAML authentication floods. That’s not a smash and grab. That’s somebody settling in for a long stay.
If your law firm, dental practice, or municipality has a Palo Alto firewall sitting at the edge of your network, and that firewall has the User-ID Authentication Portal feature turned on, somebody with state-level resources may already be inside. The only mitigation until May 13 is to block access to the portal from the public internet and restrict it to internal IP ranges only. Your MSP should already be on this. If they haven’t reached out to you about it by Monday, they aren’t paying attention and you have a different problem.
▸ WHAT_TO_DO_NOW
Email your MSP today. One sentence: “Are we running PAN-OS with User-ID Auth Portal exposed to the internet?” If the answer is yes, the next sentence is “shut it down until the May 13 patch lands.” If your MSP doesn’t know what you’re talking about, that’s also useful information.
03 // THE_VENDOR_BREACH_THAT_BECAME_YOURS
RXNT is one of those EHR and e-prescribing platforms that small medical and dental practices live on. Maryland-based. Used by thousands of small offices nationwide. On the first weekend of March, somebody got into their systems. The breach window was three days. The investigation took six weeks. The notifications went out May 1.
Patient names. Dates of birth. Addresses. Phone numbers. Patient IDs. The whole PHI starter pack. Now every dentist and family doc using RXNT is staring at a HIPAA breach notification clock with a deadline of May 15 to register at RXNTnotification.com so RXNT can send the patient letters on the practice’s behalf. After that, the practice has its own 60-day window to notify HHS, the state AG, and depending on the patient count, the local media.
Here’s the brutal part. The practice didn’t get hacked. RXNT got hacked. But under HIPAA, the practice is the covered entity. The practice’s name goes on the notification letter. The practice’s reputation takes the hit. The practice gets the OCR investigation if patient count crosses 500. This is the vendor risk story that every dental and family practice keeps ignoring until it shows up in their inbox dated yesterday.
▸ WHAT_TO_DO_NOW
If you use RXNT, register at RXNTnotification.com before May 15. If you don’t use RXNT but you use any cloud-based EHR or practice management software, pull up your vendor list this weekend. For each one, ask three questions: do I have a current Business Associate Agreement on file, when’s the last time they sent me a SOC 2 report, and what’s their breach notification SLA to me? If you can’t answer all three, you have homework.
04 // EIGHT_YEARS_INSIDE_THE_HOSPITAL
On Friday May 1, federal prosecutors in Baltimore indicted Matthew Bathula. The job title in the indictment is “clinical pharmacy specialist.” The actual job he was doing for eight years was something else entirely. From 2016 to 2024, he installed keylogging software on roughly 400 hospital workstations. He stole the credentials of at least 80 of his coworkers. He used those credentials to break into 195 people’s personal Google accounts, iCloud accounts, Gmail, M365. And then, because hospital security cameras and home security cameras run on the same kind of internet-connected platforms, he used the same credentials to remote-activate cameras in private treatment rooms and watch his female colleagues pump breastmilk.
The FBI eventually pulled 247 sexually explicit photos and 27 videos off his devices. He was caught when CrowdStrike correlated USB drive activity with badge swipes at workstations. Eight years and the thing that got him wasn’t fancy threat hunting. It was somebody finally connecting log A to log B.
Every dental office, every law firm, every small medical practice has the exact same setup as the hospital that missed this for eight years. Shared workstations in shared rooms. Long-tenured staff who nobody questions. USB ports that are physically plugged in and logically wide open. Audit logs that get generated and never read. The pharmacist didn’t need an exploit. He needed proximity, a USB stick, and a workplace where nobody was looking.
▸ WHAT_TO_DO_NOW
Audit who has local-admin rights on shared workstations in your office. The answer should be nobody except IT. Disable USB mass storage on clinical and reception PCs through Group Policy. Turn on the Unified Audit Log in Microsoft 365 if it isn’t already on, and put it on a calendar to actually review the high-risk events monthly. Replace shared logins with individual accounts even if it’s a hassle, because the hassle is the point. The hassle is what makes the bad behavior visible.
05 // THE_NEGOTIATOR_WAS_THE_ATTACKER
On Thursday May 1 in a Miami federal courtroom, two cybersecurity professionals got 48 months apiece in federal prison. Ryan Goldberg used to run incident response at Sygnia, an Israeli cybersecurity firm. Kevin Martin used to negotiate ransoms at DigitalMint in Chicago. Together with a third guy named Angelo Martino, they ran a side hustle deploying ALPHV BlackCat ransomware against the same kinds of companies they were paid to defend.
Martino’s case is the worst of the three. While DigitalMint had assigned him to negotiate ransoms on behalf of five client companies, he was simultaneously the BlackCat affiliate attacking those exact same five companies. He sat in client briefings. He read their cyber insurance policies. He found out exactly how much they could pay. Then he went home and used that information to set the ransom amount and squeeze them. Five DigitalMint clients paid a combined $75.25 million. One financial firm alone paid $25.66 million. The feds seized a 29-foot luxury fishing boat, a food truck, and a $1.68 million bayfront home.
One of the victim companies was a doctor’s office. Their patient data got leaked. The patients were notified. Nobody told them their negotiator was the guy holding the keys.
The cybersecurity industry is going to spend the rest of the year pretending this didn’t happen. The truth is that incident response is an unregulated field. There’s no licensing board. No mandatory background checks. No conflict-of-interest disclosures. You can quite literally be a paid IR firm one week and a ransomware affiliate the next, and right now nothing is stopping you. The industry is going to have to grow up. Until then, the only thing standing between a small business and a guy like Martino is the diligence of the small business owner doing the hiring.
▸ WHAT_TO_DO_NOW
Pick your incident response firm before you need them. Vet them like you vet a law firm. Ask for client references and actually call them. Ask who specifically would be on your engagement and what their background check looks like. Get your cyber insurance policy in place now, while you have leverage, not after you’ve been encrypted. And never, under any circumstance, give one person unilateral authority to wire money during an incident. Two-person rule on every transaction over $10K. No exceptions.
// PATCH_THIS_NOW
Forward this section to your IT person. If they don’t know what any of these are, that’s actually the answer to whether you’re protected.
Palo Alto PAN-OS — CVE-2026-0300. Unauth root RCE. State-sponsored exploitation in the wild. Patch lands May 13. Until then, restrict User-ID Auth Portal to internal IPs only.
Ivanti EPMM — CVE-2026-6973. Authenticated admin RCE actively exploited. Federal patch deadline May 10. Update to 12.6.1.1 / 12.7.0.1 / 12.8.0.1.
ConnectWise ScreenConnect — CVE-2024-1708. Path traversal RCE being actively exploited by North Korea’s Kimsuky group. If your MSP uses ScreenConnect on-prem, patch deadline is May 12.
cPanel/WHM — CVE-2026-41940. Unauthenticated admin bypass. Roughly 1.5 million instances exposed. If your website is on shared hosting, ask your provider whether they’ve patched.
DAEMON Tools Lite. Trojanized installers were distributed from the official site between April 8 and May 5. If anyone on your team installed DAEMON Tools in the last month, uninstall, scan, and rotate any credentials that touched that machine.
// THE_BOTTOM_LINE
Look at what we covered this week. ShinyHunters got into Canvas through the free teacher tier. The pharmacist got into 195 hospital workers’ personal lives because nobody was checking USB activity against badge swipes. RXNT got hit and now thousands of small medical practices have to send breach letters they never wrote. The DigitalMint negotiator got rich because nobody verified who was on the other end of the IR engagement.
Five different stories. One pattern. The attack didn’t come through the firewall. It came through a relationship. A free account. A tenured employee. A trusted vendor. A hired professional. The technology kept working. The trust didn’t.
Spend an hour this weekend listing every relationship in your business that has access to something important. Then ask yourself, for each one, what would happen if that relationship turned out to be different than what you thought. That list is your real attack surface. Defend it accordingly.
Stay sharp out there.
See you next week.
Austin Eatman
Co-Founder // CyberFortify Solutions
FORTIFIED_WEEKLY
This briefing was Issue #007.
Get the next one delivered before it goes public.
← BACK TO ALL BRIEFINGS