Card, mobile credential, payment and security
Massive breach of the learning platform exposed sensitive student data, reignites concerns over cybersecurity in education
Canvas, a learning management system used by schools and universities worldwide, fell victim to a major cyberattack that disrupted access for millions of students during finals week. Students and educators across North America suddenly found themselves unable to access assignments, exams, grades, and course communication at one of the busiest times of the semester.
The hacker group ShinyHunters claimed responsibility for the attack claiming it stole data connected to nearly 9,000 institutions globally. The group reportedly threatened to release stolen information unless a ransom agreement was reached with Instructure, the company that owns Canvas.
The breach quickly became more than just a temporary outage.
Commentary from Stefanie Schappert, Senior Journalist at Cybernews, described the situation as “something much bigger – a test of whether the more than 8,000 schools caught up in the hack can trust a hacker group’s word that stolen student data was actually destroyed.”
Among other data elements, student ID numbers were exposed in the Canvas cyberattack. Additionally, the breach reportedly included student names, email addresses, enrollment data, and private messages exchanged between students and teachers. Schappert says that the attack may have involved “billions of private messages” stored on the platform.
The attack caused widespread outages, with many schools temporarily shutting down Canvas access or switching to alternative communication methods.
The disruption came during an especially stressful time for students, as many colleges and universities were in the middle of final exams, assignment deadlines, and graduation activities. Students expressed frustration and panic because they could not access study materials, submit assignments, or contact professors during this critical period.
Canvas is no longer just a homework portal. It functions as the classroom, gradebook, assignment tracker, messaging hub, exam platform, and student records pipeline all rolled into one.
Some schools opted to delay or cancel final exams altogether after outages prevented access to course materials and testing systems.
The University of Illinois postponed its final exams and assignments.
Penn State canceled certain exams scheduled for Thursday and Friday night, saying it was working with faculty to "determine next steps for final grading." They urged students to check their emails – not Canvas – regularly in the meantime.
Baylor University delayed its Friday exams and asked all faculty to send study materials from their local computers directly to students via email.
This incident highlights the dependency schools have on centralized online learning platforms such as Canvas and the risk this brings.
Canvas is “no longer just a homework portal,” Schappert says. For many schools, it functions as “the classroom, gradebook, assignment tracker, messaging hub, exam platform, and student records pipeline all rolled into one.”
As outages spread, the breach demonstrated how a cyberattack on one education platform can affect millions of students and educators at the same time.
Schools heavily rely on platforms like Canvas to store sensitive student information. Once schools depend entirely on one system, outages and cyberattacks can quickly escalate into widespread academic disruptions.
Once student data is stolen, control is gone, even if hackers later claim the information was deleted after payment agreements were reached.
Stolen data could still be copied, shared among affiliates, or resurface months later despite promises of destruction. And, it can still be used for phishing scams or identity-related fraud, even if financial information isn’t leaked.
Though students may seem like unlikely targets, education-related breaches are not uncommon. Young people rarely track their own credit, use credit monitoring services, or setup credit bureau locks and flags. This means that it can take years for them to notice fraudulent loans, credit cards, or other forms of identity theft.
Instructure later announced it had reached an agreement with the hackers, saying the stolen data was returned and verified as destroyed. Still, it is questionable whether there is a reliable way to fully confirm that copies of the data were not retained elsewhere.
Stolen student data could still be valuable for phishing scams, identity-related fraud, and targeted social engineering attacks, even with Canvas back online.
The situation drew comparisons to the 2024 PowerSchool breach, where hackers allegedly continued extortion attempts even after receiving payment and promising to delete stolen information.
The incident raised concerns about whether paying ransomware demands actually protects victims or simply delays future risks. Schools and students may still face long-term consequences even after ransom agreements are made.
