Canvas LMS Breach Exposes 275 Million Student, Teacher Records in Massive Education Supply-Chain Attack
Instructure, the company behind the Canvas learning management system, confirmed a breach of its cloud-hosted environment, with the ShinyHunters ransomware group claiming to have stolen roughly 275 million records from over 8,800 educational institutions.
Instructure, the company behind the Canvas learning management system (LMS), confirmed a cyber incident and subsequent data breach affecting its cloud‑hosted environment. The ShinyHunters ransomware group claims it is behind the attack and says it stole roughly 275 million records tied to students, teachers, and staff. The criminals shared a list of 8,809 school districts, universities, and online education platforms with BleepingComputer whose Canvas instances they claim were impacted, with per‑institution record counts ranging from tens of thousands to several million.
The breach represents one of the largest education-sector data thefts on record, exploiting the supply-chain risk inherent in centralized educational technology platforms. Canvas is the dominant LMS in North America and is widely used globally, meaning a single compromise at Instructure can cascade across thousands of independent school districts and universities. The exposed data may include names, email addresses, student IDs, and course information, though Instructure has not yet confirmed the full scope of what was taken.
ShinyHunters is a well-known ransomware and extortion group that has previously targeted major companies including Microsoft, AT&T, and Ticketmaster. The group's claim of 275 million records — if accurate — would make this one of the largest education-related breaches in history. The group provided BleepingComputer with a list of affected institutions and per-institution record counts, suggesting they have detailed access to the stolen database.
For affected families, the immediate risk is credential theft and follow-on phishing attacks. Attackers often reuse stolen education data to craft convincing scam messages that reference real school names, teachers, or courses. Parents and students should change Canvas passwords immediately, especially if passwords are reused across other services. Enabling multi-factor authentication where available is strongly recommended.
Institutions using Canvas should assume their students' and staff's data has been compromised and should proactively notify affected individuals. Schools should also review their own security practices around third-party integrations with Canvas and consider whether additional access controls or monitoring are warranted. The breach underscores the systemic risk of relying on a single vendor for critical educational infrastructure.
Instructure has not yet released a detailed post-mortem or timeline of the breach, nor has it specified what security measures were in place at the time of the compromise. The company has not confirmed whether the stolen data includes highly sensitive identifiers such as Social Security numbers or national ID numbers, which would significantly increase the risk of identity theft for minors.
This incident follows a pattern of high-profile breaches targeting educational technology platforms, including previous attacks on Blackboard, PowerSchool, and Illuminate Education. The education sector remains a prime target for cybercriminals due to the volume of personal data held by schools and the often-limited cybersecurity resources available to individual districts. The Canvas breach serves as a stark reminder that the security of millions of students depends on the defenses of a single cloud provider.