Instructure, the company behind the Canvas learning management system, confirmed a data breach exposing student and educator information. The incident compromised names, email addresses, student ID numbers, and internal user messages.
What Happened
According to an official disclosure by Instructure, a cyberattack disrupted tools that rely on API keys. The company revoked privileged credentials and forced users to reauthorize their access to third-party integrations.
The extortion group ShinyHunters claimed responsibility for the attack. On their leak site, the hackers claim to possess 3.65 terabytes of data belonging to 275 million students and teachers across nearly 9,000 institutions. The group also asserts they compromised Instructure’s Salesforce instance, a vulnerability mirroring the recent Infinite Campus Salesforce hack.
Instructure has not verified the hacker's figures. The company stated they have no evidence that passwords or financial information were involved, though they hired outside experts to investigate the scope of the incident.
The Bigger Picture
Higher education institutions and K-12 schools face thousands of cyberattacks every week. When hackers steal student data, it often leads to identity theft and financial fraud, as detailed in College Student Identity Theft: A Parent's Guide for 2026.
The Canvas breach targeted API keys. An API token is a credential that provides programmatic access to the Canvas platform. These tokens are valuable to hackers because they can circumvent Multi-Factor Authentication. When users link external apps—like study tools or AI assistants—to Canvas, those apps use tokens to read and write data. If those tokens are compromised, attackers gain access to student records without a password.
Universities frequently delete all active sessions and API tokens when they suspect an account is compromised. This is why many Canvas users experienced disruptions to their integrated tools during the response.
What This Means for Families
Instructure stated no financial data was stolen, but parents should remain cautious. According to cybersecurity incident reporting requirements, initial breach notifications rely on information available at the time of discovery. Finding no evidence of a compromised database early on is common, and assessments often change once forensics are completed.
Exposed names, emails, and student IDs allow criminals to launch phishing campaigns. Attackers use this information to impersonate university officials in emails, tricking students or parents into providing passwords or financial aid details. As noted in guidelines for safeguarding student data, exposing identity information creates security risks.
What You Can Do
- Monitor for phishing: Be skeptical of emails claiming to be from your school's financial aid office or IT department. Verify requests by calling the school directly.
- Audit third-party apps: Log into Canvas and review any external tools or extensions you authorized. Disconnect apps that are not required for your coursework.
- Update passwords: Even though Instructure claims passwords were not exposed, rotating your Canvas password and ensuring multi-factor authentication is active is a standard protective measure.
- Watch your credit: Since student IDs and personal details were exposed, consider placing a fraud alert or credit freeze on your child's credit file to prevent identity theft.