The vast data breach at education platform Canvas this week exposed the vulnerability of student information as hackers increasingly target school systems, colleges and the tech companies they rely on in hopes of scoring big ransom payouts.
The latest attack comes as a handful of big educational technology providers are managing a huge amount of information and as a backlash brews among parents who want to curb computer use in classrooms.
Instructure, the company that operates Canvas, had been warned. Earlier this month, a message was sent, according to Ransomware.live: “This is a final warning to reach out by 6 May 2026 before we leak along with several annoying (digital) problems that’ll come your way. Make the right decision, don’t be the next headline,” and “FINAL WARNING PAY OR LEAK.”
On Thursday, almost 9,000 schools and 275 million people were affected, including students, teachers, faculty and staff whose personally identifying information was leaked, according to Ransomware.live. A hacking group known as ShinyHunters said it was behind the break-in, a copy of a ransom note obtained by The Washington Post shows.
It’s unclear exactly what data ShinyHunters took, but the group’s tactics involve stealing information and then threatening to release it unless their victims pay up. There’s potentially a Tuesday deadline looming, although hacker-tracking site Dark Web Informer said Thursday that ShinyHunters had taken Instructure off its published target list, likely indicating negotiations were taking place.
Instructure said the group first got into its systems by “exploiting an issue related to our Free-For-Teacher accounts.” Robert Johnston, the chief innovation officer at computer security firm N-able, said it’s common for hackers to use trial accounts before breaking their way further in.
The hack shut down the widely used platform in the midst of finals season. Canvas is used to manage grades, assignments and other coursework, so its collapse prompted some schools to advise faculty to be flexible about deadlines for exams and final projects.
According to Ransomware.live, ShinyHunters is a financially motivated data-theft and extortion group whose high-profile victims include Ticketmaster, Zara, Cisco Systems, Ikea, Panera Bread, Adidas and McDonalds — as well as individual schools.
It’s not the first breach involving a major education technology platform. In December 2024, the K-12 education information platform PowerSchool was breached by hackers and said it decided to pay a ransom, hoping it would prevent data from being shared publicly.
The Federal Trade Commission alleged that another company, Illuminate Education, had failed to properly protect data it held, leading to a major breach. In December, the commission said it was requiring the firm to strengthen its security measures.
Multiple prominent universities, including Columbia University and Princeton University, had breaches in the past year. Some had admissions data leaked.
Schools have been targets for a long time, said Doug Thompson, chief education architect and director of solutions engineering for Tanium, a cybersecurity company, because they have so much data.
But the primary risk in education is no longer just the individual institution — it’s the small number of platforms like Canvas on which many of them depend.
“If I’m a bank robber, why do I want to go rob a thousand banks if I can go right to the mint?” he asked.
Thompson had a warning for students and others at the schools: “Assume your name and email are now in criminal circulation. Expect phishing attempts that reference real classes or instructors.”
Identity theft is also a concern.
Anton Dahbura, executive director of the Johns Hopkins University Information Security Institute, said phishing attacks are getting more sophisticated and convincing with artificial intelligence. And a new large language model is particularly good at spotting cyber vulnerabilities. “The systems that we rely on are really like Swiss cheese when it comes to the potential for cyberattacks,” he said.
Students are uniquely at a disadvantage — required by their schools to use platforms like Canvas to get their assignments done almost from the moment they set foot in elementary school.
“Students really don’t choose the tech that they use in the classroom,” said Sara Geoghegan, senior counsel at the Electronic Privacy Information Center. “They’re not choosing these vendors. They don’t have any control here.”
Brian Watkins, a spokesman for Instructure, said that after the company realized an “unauthorized actor” made changes to pages that appeared when students and teachers logged in, it took Canvas offline to investigate. He said the company confirmed that an issue related to its Free-for-Teacher accounts had been exploited, so it temporarily shut those down. “This gives us the confidence to restore access to Canvas, which is now fully back online and available for use. We regret the inconvenience and concern this may have caused.”
Steve Proud, Instructure’s chief information security officer, posted online this month that the company had recently experienced “a cybersecurity incident perpetrated by a criminal threat actor.” A few days later, he wrote that while an investigation continued with outside experts, they believed the threat had been contained. The next day, the site went down.
Thursday night, the company posted that Canvas was available for most users and provided more information about the incident Friday.
But some schools were warning people to avoid the platform.
At the University of Maryland, officials postedFriday that Canvas appeared to be back up but urged people not to use it yet as they worked quickly to assess the safety of the platform. “We continue to ask faculty to deliver course materials to students and provide course-specific updates to assist end-of-semester preparations,” they wrote, adding that they aimed to provide further updates later in the day.
The hack affected a number of public K-12 schools, including districts in North Carolina, Florida, Virginia, Maryland, California, Nevada, Georgia and Oklahoma. By Friday afternoon, students and teachers had varying levels of access to the platform.
Montgomery County Public Schools, Maryland’s largest district with nearly 160,000 students, continued to restrict access to Canvas “until all services have been reviewed and confirmed safe for use,” officials said. In Broward County, Florida, most Canvas services had been restored by late Friday morning, the system said on social media. Fulton County Schools, which includes Atlanta, warned that hackers may have accessed information including names, email addresses and internal Canvas messages. The district said it did not share social security numbers or financial data with the platform.
Prince George’s County Public Schools sent an email to parents saying that while personal information including names, emails and student IDs were involved, more sensitive information such as passwords and financial information was not. The district urged people to be vigilant about suspicious messages and phishing attempts.
There is a federal law that governs the privacy of student information and gives parents rights to access data schools hold on their children. But Joel Schwarz, a founding member of the Student Data Privacy Project, said school districts often don’t understand their obligations well and the Education Department does little to enforce the law.
“It’s basically a free-for-all,” Schwarz said. “They lose it in a breach, so be it, it’s just a cost of doing business. It’s not really a big cost because nobody’s getting in trouble.”
The attack comes amid wider scrutiny of the way schools use technology. In most schools, every child has a laptop or tablet for completing assignments, taking tests and communicating with teachers. Now, in at least a dozen states, lawmakers and public school leaders are attempting to curb the reliance on technology — often in response to parent opposition.
“This data breach is a perfect example of why it is so urgent that schools interrogate their overuse of technology,” said Kate Brody, policy director at Schools Beyond Screens, a parent group based in Los Angeles. The local school board recently passed a resolution requiring classrooms to limit device usage. “Every new tech account is an opportunity for infiltration and abuse.”
The post Canvas hack exposes schools’ vulnerability to cyberattacks appeared first on Washington Post.
