A recent post on X has been getting a lot of attention, including in some snarky screengrabbed archiving as it has made its way onto various other platforms (snarkiving?)

The reason for its popularity came down to a mathematical claim about success:

As hundreds of commentators pointed out, the maths here is wide of the mark. To give a simple example, your probability of getting heads with a fair coin toss is 1/2. If you try twice, you don’t have a 100% chance of getting at least one head. You have a 3/4 chance (i.e. you need to avoid failure twice).

Similarly, if we want to know chance of at least one success if each attempt has a 1/100 probability, we need to calculate the chance that you don’t fail at all 100 attempts, given there’s a 99/100 probability of failure each time:

And 63% is not 100%.

Even so, the above calculation assumes that each attempt is independent and equally likely to succeed, which will rarely hold in practice. In reality, your probability of success should change as you learn; the goal isn’t just to try more, but to improve your chances with each attempt.

As some people also pointed out, the directional sentiment was correct, even if 100% isn’t the same as 63%. Pushing through lots of failures is generally important if you want to eventually achieve some success. After all, I’ve lost count of how many book rejections, grant rejections, and investor rejections I’ve had over the years.

And ultimately, if you’re spending time telling people they’re wrong on the internet, you’re probably not out there doing hard things.

Now, you might respond that mathematical errors matter in life, and correcting them is worthwhile. Often that can be true. But in this instance, does the correction shed much more light on the probability of success?

Mathematician Stanislaw Ulam once said that ‘Knowing what is big and what is small is more important than being able to solve partial differential equations’.

This distinction is important, because, in reality, you’ll rarely know your exact chance of success on a given attempt. It might be 1%, it might be 20%, it might be 0.1%.

Even having some data doesn’t alway help. If you apply for a grant with a 5% success rate, for example, it doesn’t mean your personal chance of success is 5%. Having reviewed a lot of proposals over the years, there’s often consensus about the outstanding applications and extremely weak ones. Neither of these groups ever had a 5% chance.

This means it’s not only about attempt tallies. If your probability of success is 0.1% and you try 100 times, your overall chance of success is 9.5% according to the correct mathematical approach above. And if your probability is 1% and you try 10 times, your overall chance is also 9.5%.

In other words, for situations where the probability of success is small, and your number of attempts is small relative to that probability, Hormozi’s simple calculation can actually provide useful rough intuition. If probabilities are small and attempts are limited, either you need more attempts, or a better probability per attempt. Both have the same impact.

(For maths fans, this approximation works because:

when x is small relative to n.)

It is of course misleading to suggest that 100 attempts would guarantee success given a 1% probability on each effort. But a better critique would be that trying to put numbers on these things in the first place isn’t that informative when it comes to the deep uncertainty of success.

As J.M. Keynes wrote in 1937:

By ‘uncertain’ knowledge, let me explain, I do not mean merely to distinguish what is known for certain from what is only probable. The game of roulette is not subject, in this sense, to uncertainty; nor is the prospect of a Victory bond being drawn. Or, again, the expectation of life is only slightly uncertain. Even the weather is only moderately uncertain.

The sense in which I am using the term is that in which the prospect of a European war is uncertain, or the price of copper and the rate of interest twenty years hence, or the obsolescence of a new invention, or the position of private wealth-owners in the social system in 1970. About these matters there is no scientific basis on which to form any calculable probability whatever. We simply do not know.

This idea would later become known as ‘radical uncertainty’, where the concepts honed on dice games and roulette would break down. But this wasn’t the main concern about the post on X. Instead, here are some of the comments below the post’s flawed calculation:

“that’s girl math”

“With your understanding of math, your probability of success is near zero”

“Your math ain’t mathing sugar pie. Go back to primary school.”

What is the benefit of such comments? What, even is the benefit, of posting, or quoting, or snarkiving something that has been corrected hundreds of times already?

To inform? To persuade? Or to signal merely that you know some high school probability – but perhaps not enough to realise that it’s not really a problem that probability can solve.

Cover image: Girgio Travato

And more on the quirks of 63% when it comes to randomness:

I don’t like people adding tracking stuff to URLs.
Still less do I like people adding tracking stuff to my URLs.

https://chrismorgan.info/no-query-strings?ref=example.com? Did I ask?
If I wanted to know I’d look at the Referer header; and if it isn’t there, it’s probably for a good reason.
You abuse your users by adding that to the link.

https://chrismorgan.info/no-query-strings?utm_source=example&utm_&c.?
Hey! That one’s even worse, UTM parameters are for me to use, not you.
Leave my URLs alone.

So I’ve decided to try a blanket ban for this site: no unauthorised query strings.

At present I don’t use any query strings.
If I ever start using any query strings, I’ll allow only known parameters.
(In past times I used ?t=… and ?h=… cache-busting URLs for stylesheet URLs;
and I decided I’m okay breaking such requests; there shouldn’t be any legitimate ones.)

Want to see what happens if you add a query string? Go ahead, try it.

It’s my website: I can do what I want with it.

And you can do what you want with yours!

This is currently implemented in my Caddyfile.

You find yourself in front of a door made of heavy, dark wood, and inscribed with a calendar of moon phases and constellations. A scrap of paper sticks out from the bottom of it, yellowed with age. It begins:

Microscope is a world building TTRPG published by Lame Mage Productions. Published quite a while ago, too, back in 2011 (15 years ago!) making this the oldest game I've talked about so far. It's a staple of the indie TTRPG scene, one of the games that you've probably heard about even if you haven't played it.

In Microscope, you create a timeline of events at varying levels of scope and scale. You can zoom out to define whole periods of history, or zoom in to a specific moment. It's GM-less, with each player taking on the role of the "Lens" throughout play, dictating the "Focus" of that round - the thing (event, person, theme, institution) that every contribution will touch on. Players then take turns adding either a period (a swathe of time), an event (a specific thing that occurs within a period), or a scene (a single moment within an event) to the timeline. The round ends when every player has gone once (except the Lens, who goes twice) and the role of Lens passes to the next person.

Generally I feel like my thoughts on Microscope can be summed up thusly:

Microscope is not the most exciting game of all time, but it is a well made game that does what it sets out to do, and it is a foundational building block that many games that I like have been built on. Such is the case with many games from the early 2010s, but Microscope in particular just doesn't have enough for me. It doesn't have The Sauce™.

...

Anyways, there's a rule in Microscope that I haven't stopped thinking about since I played it:

Don't collaborate. Don't collaborate? In my collaborative tabletop roleplaying game?

(It's more likely than you think.)

I played Microscope with a group of friends that I have played a looooot of TTRPGs with. When we came across this rule, we were baffled. Why is this here? Why wouldn't we collaborate? That's kinda The Thing we're here to do!

My first thought was that it's there to assist less confident players. To prevent them from being talked over and give them space and time to create their own contributions.

Which makes sense! Microscope doesn't really have defined borders, it's much more focused on telling you what you can do vs what you can't do. Add the lack of a GM or solid mediator and it's easy for some players to become the loudest voices at the table and step on others' toes.

My second thought was that it's there to prevent turns from going on too long. When you've got everyone jumping in with ideas it definitely runs the risk of stretching your game time as each idea needs to be considered or dismissed, and since Microscope is meant to be able to run in one session it needs to keep things tight.

But that's neither of these are actually what the rule says it's there for:

If you collaborate and discuss ideas as a group, you’ll get a very smooth and very boring history. But if you wait and let people come up with their own ideas, they may take the history in surprising and fascinating directions.

The key words here are boring, surprising, and fascinating — Microscope wants you to do weird shit; it wants you to stop being precious with your toys. There's a whole section about how OK it is to destroy things that others have established:

(The answer is very.)

So while I think this rule does give everyone at the table a chance to speak, and does keep the game going, the main purpose of it is to keep your game weird and encourage people to create unique ideas that may not mesh with what other people at the table are thinking.

However, I don't know if I agree with the assumption that working collaboratively will create less interesting ideas. Plus, the secret is that Microscope is still a collaborative game, even though it explicitly discourages collaboration. You're still creating the timeline together, and the things that you create will influence what the other players create and vice versa. The game actually points this out in the first part of the aside that I neglected to show you earlier:

Which I think is part of why this rule hit me as really odd at first. It feels contradictory to have a header saying "Don't Collaborate" after explaining how you're going to collaborate with each other during play, and even though the section goes on to explain that you're not meant to collaborate with each other in specific ways during specific parts of the game my main takeaway from my initial read-through was that we weren't meant to collaborate at all — which then lead to my initial reaction of "but that's literally what I'm here to do!"

I did, eventually, get it, but only after we'd finished our game and I started writing this post. Which I think is really unfortunate, especially since I now really like the rule where before I wasn't taking it seriously at all.

Part of what helped me understand it was reading through the afterword in Microscope, a small section at the back of the rulebook where Ben literally talks about "How Microscope Works," including a section about this specific rule!

In it, Ben goes over why this rule exists, and actually mainly talks about the first point I came up with: that it keeps more dominant players from overshadowing any wallflowers at the table. But the part that got me is this paragraph:

And, yeah, that discomfort is definitely something I experienced and have experienced before while playing other games. Sitting with everyone's eyes on you and struggling to come up with something interesting is not fun, and there's always the fear that you'll come up with something that's bad.

Ben addresses this too, though:

This makes sense with the way Microscope works, though it's perhaps a bit contradicted by earlier parts of the book that talk about how you need to pitch the other players on what you create so they'll be interested in exploring it. It's impossible to fully remove that pressure to create something cool; we all want to impress the people we play with. Still, the more I thought about it, the more I ended up liking this rule.

The main reason is that it challenges a feeling that I have, which is that I come up with more interesting ideas when I'm bouncing them off of other people.

And I think that's a worthwhile thing to have challenged. I'm a creative guy! I have ideas, I make stuff! Sometimes I do it all by myself! This isn't something that changes when I'm making stuff with other people, but I do tend to defer to the people I'm with in those situations. I think most people do — or at least feel like they do! Especially the kinds of folk who play TTRPGs.

So, while I still don't fully agree with the idea that collaborating with others makes your game (or project, or anything else you do) less interesting, I do think that this rule forces players to exercise their own creative confidence. Which is good! Plus it adds something really interesting to Microscope.

It gives it The Sauce™.

I did, by the way, literally change my opinion on Microscope and this rule as I was writing this post, which was originally going to be a piece about how weird and bad this rule is. But it turns out that it's good, and that Microscope is good, almost like there's a reason why its such a long standing staple of the indie scene. I would love to play it again while taking this rule more seriously and see if my opinion changes even more.

It also makes me wonder what other games would benefit from this sort of non-collaborative gameplay. Could this be taken even further? Could you create a game that's almost entirely parallel play? A game where the players aren't allowed to talk to each other at all? What would happen if you took a fully collaborative game and changed bits of it to be non-collaborative?

Imagine a game where everyone is wordlessly putting up index cards on a board. Zero communication allowed beyond what's written and what's read, the only connecting thread being the rules of the game — whatever those may be.

I bet this would create something really interesting!

Or maybe it wouldn't work at all, who knows.

If you know of other games that do this sort of thing, let me know by hitting me up on tumblr or bluesky, and if you have an idea for how to integrate this into a game or have your own thoughts on Microscope I'm very interested in hearing those as well.

Thanks for reading!

• N.A.

p.s. oooo i love to procrastinate oooo i love to slide posts in right under the wire of the end of the month

seriously though writing this post was really fun i love to find out im wrong about something. everyone should do this — if you find something that bothers you think about why!! maybe you are actually the one who is stupid. it can happen to anyone.

the most "ah fuck" moment of writing this is when i read the afterword in Microscope for the first time and gang. when i found the section about this rule i was like. ah. fuck. and then i went back and rewrote half the post.

moral of the story: read the whole rulebook before trying to critique it, and also everybody should put an explanation of why they did things the way they did in their game*. its such a cool and fantastic resource for future designers!

*or at least write a blog post about it :3

im currently running Under Hollow Hills and having an incredible time with it so that will probably be what i write about next and maybe this time! i will not post on the last day of the month. maybe.

see you then!

An anonymous reader quotes a report from Wired: Security researcher Dor Zvi and his team at the cybersecurity firm he cofounded, RedAccess, analyzed thousands of vibe-coded web applications created using the AI software development tools Lovable, Replit, Base44, and Netlify and found more than 5,000 of them that had virtually no security or authentication of any kind. Many of these web apps allowed anyone who merely finds their web URL to access the apps and their data. Others had only trivial barriers to that access, such as requiring that a visitor sign in with any email address. Around 40 percent of the apps exposed sensitive data, Zvi says, including medical information, financial data, corporate presentations, and strategy documents, as well as detailed logs of customer conversations with chatbots. "The end result is that organizations are actually leaking private data through vibe-coding applications," says Zvi. "This is one of the biggest events ever where people are exposing corporate or other sensitive information to anyone in the world." Zvi says RedAccess' scouring for vulnerable web apps was surprisingly easy. Lovable, Replit, Base44, and Netlify all allow users to host their web apps on those AI companies' own domains, rather than the users'. So the researchers used straightforward Google and Bing searches for those AI companies' domains combined with other search terms to identify thousands of apps that had been vibe coded with the companies' tools. Of the 5,000 AI-coded apps that Zvi says were left publicly accessible to anyone who simply typed their URLs into a browser, he found close to 2,000 that, upon closer inspection, seemed to reveal private data: Screenshots of web apps he shared with WIRED -- several of which WIRED verified were still online and exposed -- showed what appeared to be a hospital's work assignments with the personally identifiable information of doctors, a company's detailed ad purchasing information, what appeared to be another firm's go-to-market strategy presentation, a retailer's full logs of its chatbot's conversations with customers, including the customers' full names and contact information, a shipping firm's cargo records, and assorted sales and financial records from a variety of other companies. In some cases, Zvi says, he found that the exposed apps would have allowed him to gain administrative privileges over systems and even remove other administrators. In the case of Lovable, Zvi says he also found numerous examples of phishing sites that impersonated major corporations, including Bank of America, Costco, FedEx, Trader Joe's, and McDonald's, that appeared to have been created with the AI coding tool and hosted on Lovable's domain. "Anyone from your company at any moment can generate an app, and this is not going through any development cycle or any security check," Zvi says. "People can just start using it in production without asking anyone. And they do."

Read more of this story at Slashdot.

“Natasha Singer is a reporter for the New York Times who writes about how tech companies, digital devices and apps are reshaping childhood, education and job opportunities.” This article appeared April 29, 2026.

Los Angeles parents are fed up with schools loading up students with laptops and tablets, and assigning schoolwork on a slew of apps.

Some families, who had decided against giving their children screens at home, told school board members that they were appalled to find young students using school-issued devices — even in kindergarten. Some parents complained that their children were able to play video games or watch social media videos during school. Others reported that an A.I. app, which fourth graders were assigned to use to create portraits of the fictional Swedish schoolgirl Pippi Longstocking, generated sexualized imagery.

Such concerns prompted parents last year to form a group called Schools Beyond Screens to push for increased technology oversight in the Los Angeles Unified School District, the nation’s second-largest public school system.

Last week, the Los Angeles school board passed a resolution requiring the district to restrict student access to YouTube, eliminate digital devices entirely through first grade and develop screen time limits for higher grades — becoming the first major U.S. school system to do so.

The parents’ successful campaign points to an escalating national reckoning for the powerful classroom technology industry. Encouraged by the fast spread of school cellphone bans, parents, teachers and legislators across the United States have banded together to ensure that technology use in schools is beneficial for learning.

In New York City, hundreds of parents have urged the mayor to postpone the introduction of artificial intelligence chatbots like ChatGPT in schools. Last month, the governor of Utah signed a law that will allow parents to see how much time their child spent on a school device and review the websites their child visited.

In Oregon this month, parents successfully pressed the Bend-La Pine school board to pass a resolution requiring a district review of all school-issued devices and apps for educational effectiveness. The resolution also requires the district to remove apps that don’t prove effective.

In Los Angeles, parents urged school board members to back the new tech restrictions.

“For over a year, our members have been advocating for a safe and science-backed approach to classroom technology,” said Anya Meksin, the deputy director of Schools Beyond Screens. “Enough to Big Tech encroaching into our public schools.”

For years, tech giants like Google and Apple, along with companies that make school software, have marketed their technologies to schools. The tech industry promised that the devices and apps would customize learning, improve students’ academic results and widen job opportunities. Many districts rushed to adopt the tools, fueling a booming, multibillion-dollar school tech market.

But some researchers have found that digital devices failed to boost students’ test scores and graduation rates, and that they can significantly detract from learning.

Current and former school district officials say the fast-growing parents’ crusade reflects a longstanding reality: Many public schools lack the resources to adequately vet classroom tech.

“The burden on school districts to manage these systems is enormous,” said Hal Friedlander, a former chief information officer of New York City Public Schools who has also helped other school districts evaluate technology. “Unfortunately, most districts are small and they don’t have the resources or the expertise.”

Some children’s educational organizations have similar concerns. This year, two United Nations agencies, UNICEF and UNESCO, issued online learning guidelines warning that public schools had largely ceded digital education to private tech companies.

Online learning tools had introduced important innovations, the U.N. agencies said. But they also warned that digital learning platforms could treat schoolchildren “like consumers”; expose students to health, safety and privacy risks; and threaten school “autonomy.” Instead, “public needs and public purposes must steer” digital learning, UNESCO and UNICEF recommended.

Some tech companies and school tech organizations note that using school laptops and apps can teach students important digital skills. And they argue that parent groups are conflating children’s social media use — like students scrolling through streaming videos during class — with useful learning tools specifically designed for education. Some math and reading apps, for instance, can customize lessons to each child, allowing teachers to chart the student’s progress.

“Educational technology allows teachers to differentiate instruction and assess student understanding in real time,” said Keith Krueger, the chief executive of the Consortium for School Networking, a nonprofit organization for school technology leaders. (The school networking group’s corporate sponsors include Amazon, Google, Lenovo and Microsoft.)

In recent interviews and Zoom meetings, parents in more than a dozen states raised concerns about the safety, privacy and effectiveness of student devices, classroom software and learning apps. Some parents pointed to well-known school software companies that have recently faced complaints about poor data security and the collection of sensitive student data. Other parents said their districts struggled to limit student access to video games and video-streaming platforms on school-issued devices.

Over the last year, Los Angeles has become a center of parent-led efforts to rein in school tech.

In a recent Zoom presentation for Los Angeles parents, Alisha Mernick described how she had started a campaign at her son’s elementary school to help families opt their children out of i-Ready, a math and reading app with gamelike features.

Ms. Mernick, 40, and other parents said they were concerned that the app used video-gamelike techniques, including cute animation and reward points, to hook youngsters.

In some schools, students who accumulate reward points for completing lessons on i-Ready, a math and reading app, can use the points to play games.

“If I’m giving my 5-year-old a game-ified version of a worksheet, it will hijack the development of her intrinsic motivation and jeopardize her ability to learn,” said Ms. Mernick, who teaches art education at California State University, Northridge.

In a statement, Curriculum Associates, the company behind i-Ready, said its online learning assessments and lessons “help teachers act on student needs faster and more precisely.” The company added that i-Ready’s student-engagement techniques “mirror classroom reward systems.”

Parents say their concerns escalated after recent scandals related to student tech.

In 2023, the Los Angeles Unified School District approved a $6.2 million deal with a little-known A.I. start-up to develop a chatbot for student use. The next year, federal prosecutors charged the founder of the start-up with defrauding investors.

The A.I. chatbot fiasco prompted Schools Beyond Screens this year to start a petition, called “Get Big Tech Off Kids’ Desks.” It urged the Los Angeles school system to audit recent tech contracts to make sure the digital tools for students were “safe, legal and effective.” More than 1,000 people have signed on.

Among the concerned parents is Sandra Martinez Roe, 50, a children’s book author whose son attends a Los Angeles elementary school. She said she had chosen not to buy him an iPad or a laptop for home use. At the start of second grade, however, her son came home with a school-issued Chromebook for his schoolwork.

She worried about the kinds of websites the school device might enable him to view. She was also concerned that some online learning software seemed to lack rigorous proof of educational effectiveness.

“They’re just selling it and pushing it through the school system,” said Ms. Roe, who is a member of the Schools Beyond Screens leadership team. “Our children are the guinea pigs.”

In a statement, the Los Angeles Unified School District said it had thorough processes for evaluating technology tools to ensure that “any platform used with students meets rigorous standards for privacy, cybersecurity and educational effectiveness.”

After the Pippi Longstocking incident, the district said, it reviewed how the A.I. tool was used in classrooms and worked with the software company on “strengthening content controls.” As for i-Ready, the district said the math and reading app helped inform teachers’ instructional decisions and improve student learning.

“We will continue to apply and strengthen our review processes to ensure that all approved tools meet the high standards our students and families deserve,” the district statement said.

Meta is accused of failing to keep children off Facebook and Instagram.

Now, Los Angeles school board members like Nick Melvoin are pushing for increased tech oversight in schools. In 2024, he championed a board resolution that barred student cellphone use during school. This year, after working with Schools Beyond Screens, Mr. Melvoin introduced the recent resolution curbing school technology.

In addition to new screen time limits for each grade, the policy will require elementary and middle schools to prohibit student device use during lunch and recess. The district must also compile a report on all current school technology contracts.

“I think of it as a recalibration, a policy that tries to strike the right balance for our kids,” Mr. Melvoin said in an interview. Additional oversight seems especially urgent, he added, now that some popular school tech products have enabled new A.I. tools for students.

“I do think parents should know: Your kids have access to these tools at school,” he added.

An ongoing data extortion attack targeting the widely-used education technology platform Canvas disrupted classes and coursework at school districts and universities across the United States today, after a cybercrime group defaced the service’s login page with a ransom demand that threatened to leak data from 275 million students and faculty across nearly 9,000 educational institutions.

Canvas parent firm Instructure [NYSE:INST] responded to today’s defacement attacks by disabling the platform, which is used by thousands of schools, universities and businesses to manage coursework and assignments, and to communicate with students.

Instructure acknowledged a data breach earlier this week, after the cybercrime group ShinyHunters claimed responsibility and said they would leak data on tens of millions of students and faculty unless paid a ransom. The stated deadline for payment was initially set at May 6, but it was later pushed back to May 12.

In a statement on May 6, Instructure said the investigation so far shows the stolen information includes “certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as as messages among users.” The company said it found no evidence the breached data included more sensitive information, such as passwords, dates of birth, government identifiers or financial information.

The May 6 update stated that Canvas was fully operational, and that Instructure was not seeing any ongoing unauthorized activity on their platform. “At this stage, we believe the incident has been contained,” Instructure wrote.

However, by mid-day on Thursday, May 7, students and faculty at dozens of schools and universities were flooding social media sites with comments saying that a ransom demand from ShinyHunters had replaced the usual Canvas login page. Instructure responded by pulling Canvas offline and replacing the portal with the message, “Canvas is currently undergoing scheduled maintenance. Check back soon.”

“We anticipate being up soon, and will provide updates as soon as possible,” reads the current message on Instructure’s status page.

While the data stolen by ShinyHunters may or may not contain particularly sensitive information (ShinyHunters claims it includes several billion private messages among students and teachers, as well as names, phone numbers and email addresses), this attack could hardly have come at a worse time for Instructure: Many of the affected schools and universities are in the middle of final exams, and a prolonged outage could be highly damaging for the company.

The extortion message that greeted countless Canvas users today advised the affected schools to negotiate their own ransom payments to prevent the publication of their data — regardless of whether Instructure decides to pay.

“ShinyHunters has breached Instructure (again),” the extortion message read. “Instead of contacting us to resolve it they ignored us and did some ‘security patches.'”

A source close to the investigation who was not authorized to speak to the press told KrebsOnSecurity that a number of universities have already approached the cybercrime group about paying. The same source also pointed out that the ShinyHunters data leak blog no longer lists Instructure among its current extortion victims, and that the samples of data stolen from Canvas customers were removed as well. Data extortion groups like ShinyHunters will typically only remove victims from their leak sites after receiving an extortion payment or after a victim agrees to negotiate.

Dipan Mann, founder and CEO of the security firm Cloudskope, slammed Instructure for referring to today’s outage as a “scheduled maintenance” event on its status page. Mann said Shiny Hunters first demonstrated they’d breached Instructure on May 1, prompting Instructure’s Chief Information Security Officer Steve Proud to declare the following day that the incident had been contained. But Mann said today’s attack is at least the third time in the past eight months that Instructure has been breached by ShinyHunters.

In a blog post today, Mann noted that in September 2025, ShinyHunters released thousands of internal University of Pennsylvania files — donor records, internal memos, and other confidential materials — through what the Daily Pennsylvanian and other outlets later determined was, in part, a Canvas/Instructure-mediated access path.

“Penn was the named victim,” Mann wrote. “Instructure was the mechanism. The incident was treated as a Penn-specific story by most of the national press and quietly handled by Instructure as a customer-specific matter. That framing was wrong then. It is dramatically more wrong in light of the May 2026 events, which now look like the planned escalation of an attack pattern that ShinyHunters had been working against Instructure’s environment for at least eight months prior. The September 2025 Penn breach was the proof of concept. The May 1, 2026 incident was the production run. The May 7, 2026 recompromise was ShinyHunters demonstrating publicly that the May 2 ‘containment’ did not happen.”

In February, a ShinyHunters spokesperson told The Daily Pennsylvanian that Penn failed to pay a $1 million ransom demand. On March 5, ShinyHunters published 461 megabytes worth of data stolen from Penn, including thousands of files such as donor records and internal memos.

ShinyHunters is a prolific and fluid cybercriminal group that specializes in data theft and extortion. They typically gain access to companies through voice phishing and social engineering attacks that often involve impersonating IT personnel or other trusted members of a targeted organization.

Last month, ShinyHunters relieved the home security giant ADT of personal information on 5.5 million customers. The extortion group told BleepingComputer they breached the company by compromising an employee’s Okta single sign-on account in a voice phishing attack that enabled access to ADT’s Salesforce instance. BleepingComputer says ShinyHunters recently has taken credit for a number of extortion attacks against high-profile organizations, including Medtronic, Rockstar Games, McGraw Hill, 7-Eleven and the cruise line operator Carnival.

The attack on Canvas customers is just one of several major cybercrime campaigns being launched by ShinyHunters at the moment, said Charles Carmakal, chief technology officer at the Google-owned Mandiant Consulting. Carmakal declined to comment specifically on the Canvas breach, but said “there are multiple concurrent and discreet ShinyHunters intrusion and extortion campaigns happening right now.”

Cloudskope’s Mann said what happens next depends largely on whether Instructure’s customers — the universities, K-12 districts, and education ministries paying for Canvas — choose to apply pressure or absorb the breach quietly.

“The history of education-vendor incidents suggests the path of least resistance is the second one,” he concluded.