The breach of a leading educational technology provider has raised fears and concerns regarding possible downstream implications for schools, their staff, and their students.
Instructure, which provides learning management system (LMS) software Canvas for K-12 and higher education clients, disclosed a data breach on May 1 in which a threat actor stole “certain identifying information of users at affected institutions,” the company said on its status page. This identifying information includes names, emails, student ID numbers, and messages shared among users. There is no evidence passwords, dates of birth, government identifiers, or financial information were stolen, according to the disclosure.
When Instructure initially disclosed the incident, Canvas Data 2 and Canvas Beta were briefly taken offline for maintenance to facilitate the investigation, as was Canvas Test. Canvas Data 2 became available May 3, Beta on May 4; Test remains under maintenance.
ShinyHunters, a prolific data extortion threat actor, took responsibility for the hack, claiming it exfiltrated 3.65TB of data representing approximately 275 million users across 9,000 institutions. On its data leak site, ShinyHunters listed a deadline of today alongside a threat to Instructure of “PAY OR LEAK.”
Steve Proud, chief information security officer at Instructure, said the company engaged outside forensics experts and took multiple incident response steps, including revoking privileged credentials and access tokens associated with affected systems, deployed patches to enhance security, rotated certain keys out of an abundance of caution (even though there was no evidence they were misused), and implemented increased monitoring across all platforms.
“Thank you for your patience as we work to resolve this matter,” Proud wrote. “We sincerely regret any inconvenience or concern this may cause.”
Dark Reading contacted Instructure for comment, but the company has not responded at press time.
The Canvas Breach: Threats to Academic Institutions
While some of the identifying information may not include passwords, government ID, or banking credentials, the messages sent between users (e.g., students, teachers, and other faculty) are potentially the most sensitive data compromised by ShinyHunters actors. One concern would be whether attackers could use information gained from these messages as an additional extortion lever against institutions or families. Specific identifying information like this would also be useful for follow-on phishing activity.
And for the academic institutions that use Canvas, it’s not easy to switch from one LMS to another, let alone if the breached product is the most popular one of its kind in North America.
Denis Calderone, chief technology officer (CTO) of security firm Suzu Labs, tells Dark Reading that under the Family Educational Rights and Privacy Act (FERPA) of 1974, schools are still on the hook for protecting student data even when it sits in a platform the school doesn’t control.
“There are other LMS vendors, but migrating off Canvas is not trivial, and I’d suspect most of the affected institutions aren’t going anywhere,” he says. Calderone adds that while institutions running Canvas can’t control Instructure’s security posture, the school can control what data lives there. Relevant organizations should review their data retention policies now.
Similarly, Ensar Şeker, chief information security officer (CISO) at SOCRadar, says that when platforms like Canvas become deeply embedded into daily education workflows, educators and students “inherit” that platform’s security posture whether they know it or not.
“The reality is that teachers cannot realistically avoid using these systems, so the focus has to shift from blind trust to resilience and risk reduction. Institutions should assume that any cloud-based communication platform may eventually experience a breach and develop policies accordingly,” Şeker says. “That means limiting sensitive discussions in platform messaging systems, minimizing unnecessary data retention, enforcing strong identity controls like multifactor identification (MFA) everywhere possible, and having clear breach response communication plans ready before an incident occurs.”
Brian Bell, CEO of customer identity and access management vendor FusionAuth, says institutions should also require vendors to prove their own security posture with current certifications, third-party audits, clear breach notification commitments, and documented controls for things like API keys and tokens.
“Vendor trust cannot be a one-time procurement decision,” he says. “In edtech, it has to be continuously earned.”
