Instructure's Canvas learning management system has suffered a major data breach, with the ShinyHunters group claiming theft of approximately 275 million student and staff records spanning more than 7,000 universities and K-12 districts. The stolen dataset reportedly includes years of academic activity, communications, and other personal information tied to student identities. Disruptions to Canvas access during peak exam season led several US universities, including Harvard and Northwestern, to postpone final exams. Reports indicate Instructure paid the ransom demand, though attackers had already exfiltrated the data. Initial access is believed to have involved social engineering targeting identity, consistent with prior ShinyHunters tradecraft. Downstream risks include long-term phishing, impersonation, and identity fraud, particularly for minors whose identities may remain unmonitored for years.
- Canvas breach puts global education cyber risk in focus(opens in a new tab)
- After the Canvas breach, security takes centre stage for SaaS pr(opens in a new tab)
- Attorney General Jeff Jackson Urges North Carolinians to Protect(opens in a new tab)
- Canvas security breach: What the Shiny Hunters attack means for (opens in a new tab)
- Canvas data breach may have exposed millions of student and teac(opens in a new tab)
- How the Canvas data breach further frayed families’ trust in ed (opens in a new tab)