Education platform Canvas confirms it was hacked; 275 million users’ personal data may be leaked

The parent company of the well-known education platform Canvas, Instructure, has recently confirmed that it suffered a cybersecurity breach, resulting in the leakage of personal data of a large number of users. Hacker group ShinyHunters claims to have obtained personal information covering roughly 9,000 schools worldwide—up to 275 million people—and uses this to extort a ransom from the company. Instructure says it is working with external cybersecurity experts and law enforcement authorities to investigate, and although some users’ names, email addresses, and student ID numbers have been exposed, it emphasizes that there is currently no evidence showing that passwords or financial information were affected.

Canvas parent company Instructure confirms it was hacked, sparking a cybersecurity crisis in education

According to CNN, Instructure, the parent company of the globally well-known digital learning management system (LMS) Canvas, confirmed last Friday that its systems were hit by a cyberattack. Based on an initial investigation, the leaked information includes users’ names, email addresses, student ID numbers from affected institutions, as well as communication messages between users. Because Canvas is widely used in U.S. schools at all levels to manage courses, submit assignments, and assess grades, the incident has raised concerns in education about the privacy and security of students’ and staff members’ personal data.

Hackers issue a final ultimatum! Personal data of 275 million records may be leaked

Well-known hacker group ShinyHunters has claimed responsibility for the attack and included Instructure in its darknet leak list. The group claims it has obtained sensitive personal information (PII) for 8809 schools worldwide, totaling 275 million individuals, with affected parties including students, teachers, and school administrative staff. The hackers also pointed out that the leaked data includes billions of private messages and data from the Salesforce system. ShinyHunters set a deadline of May 6, 2026, threatening that if no ransom is paid, all data will be published. As the deadline has passed, attention has turned to where the subsequent data flow went.

Instructure urgently launches security measures, revokes credentials and strengthens monitoring

After detecting abnormal activity, Instructure immediately took response measures to contain the cybersecurity vulnerability. The company said it has revoked privileged credentials and access tokens, deployed the latest security patches, and proactively replaced some encryption keys. While the current investigation indicates that the vulnerability has been contained, the company is still strengthening cross-platform system monitoring to prevent follow-on attacks. Instructure emphasized that, at present, there is no evidence indicating that users’ passwords, birthdays, government-issued ID documents, or any financial data were stolen.

A global alert for education tech security, the scope of Canvas personal data leakage keeps expanding

Instructure continues to stay in contact with the affected educational institutions and pledges to update the latest findings immediately on the status page on its official website. For affected schools, in addition to facing legal responsibilities related to student personal data leakage, they also face a privacy storm in which internal private messages could be made public. Cybersecurity experts advise that personnel using the system remain vigilant to guard against possible phishing emails or scam activities that may follow.

This article, “Education platform Canvas confirms it was hacked; personal user data of 275 million records may be leaked,” first appeared on Link News ABMedia.