Canvas Cyberattack Raises Privacy Concerns After Hackers Claim Access to Millions of School User Accounts

A cyberattack targeting Instructure, the parent company of Canvas LMS, disrupted access to the learning platform earlier this month after hackers claimed to have stolen roughly 3.65 terabytes of data tied to the company’s educational systems.

Canvas is used by more than 8,000 schools and educational institutions across the United States, serving millions of students, teachers, and staff members. In ransom communications, the attackers said they possessed data tied to an estimated 275 million to 280 million user accounts connected to the service.

Although the company said the situation had been resolved, users later reported seeing a ransomware message on the Canvas login page attributed to ShinyHunters. The group has previously been linked to large-scale data theft and extortion operations.

Educational platforms like Canvas are often used for assignments, messaging, grading, and student access across multiple institutions, including K-12 school districts, community colleges, universities, and educational agencies such as Harvard University and Georgetown University. The incident occurred as many schools prepared for final exams and end-of-semester coursework.

According to Instructure, the attackers claimed in ransom communications to have obtained data tied to millions of students, teachers, and school employees tied to schools and institutions using Canvas. The group also threatened to release sensitive data, including usernames, email addresses, ID numbers, and messages, among other personal information, if a ransom was not paid.

State breach notification laws and certain federal privacy protections can require companies and institutions to notify affected users when personal information may have been accessed during a cyberattack. Data breaches can create risks beyond service disruptions, including identity theft, financial fraud, or the unauthorized release of sensitive user information online.

Reports indicate ShinyHunters has taken responsibility for a second education-related breach within the past month. In communications attributed to the group, the attackers alleged Instructure failed to adequately respond to earlier security concerns, stating the company “ignored us and did some ‘security patches.’”

Shortly after Instructure reported the incident, the FBI confirmed it was aware of the disruption affecting the platform and had mobilized resources in several states to assist impacted organizations. In a statement, the agency said receiving a ransom message does not necessarily mean personal information was compromised, noting that cybercriminal groups sometimes exaggerate claims about stolen data in an effort to pressure victims into making payments.

Federal investigators have continued pursuing cybercrime groups tied to large-scale ransomware and data theft operations targeting schools, universities, and online service providers. In 2024, the Department of Justice announced the sentencing of an individual accused of operating under the ShinyHunters name in connection with stolen data involving more than 60 companies.

During the second attack, Instructure announced that the attackers had targeted their Free-for-Teacher Accounts. The company has temporarily shut down these types of accounts as they work to restore access to Canvas.