School districts face a massive shift in how cybercriminals steal student data. Instead of trying to break into individual school networks one by one, hackers now target the third-party software companies that run modern classrooms. This supply-chain approach allows threat actors to compromise hundreds of school systems and millions of students in a single attack.
What Happened
In late April and early May 2026, the learning management system Canvas, owned by Instructure, was hit by a major cyberattack. According to a report by Krebs on Security, the threat group ShinyHunters claimed responsibility for the breach. The attack temporarily forced the Canvas platform offline during final exams. The hackers targeted the platform's Free for Teacher service, claiming to have stolen data representing 8,800 schools and universities and roughly 275 million users. According to Trend Micro, the stolen data contained student names, email addresses, student IDs, and private messages. Instructure confirmed that passwords and financial details were not compromised.
This follows another massive supply-chain attack on PowerSchool, a cloud-based platform for K-12 schools. In that breach, according to Security.org, the personal records of approximately 62 million students and 9.5 million teachers were compromised. This is the largest breach of children's data in U.S. history. Cybercriminals took names, grades, health records, and government identifiers. While PowerSchool paid a ransom, Security.org reports that the stolen data was never fully recovered. Individual school districts faced follow-up extortion attempts months later.
The Bigger Picture
As we previously reported, school districts spend billions on educational technology, creating a massive web of third-party applications. This rapid expansion, combined with the fact that districts are struggling to manage software bloat, has made educational software vendors prime targets.
According to cybersecurity experts interviewed by Dark Reading, hackers see value in targeting centralized platforms. A single breach at the software level grants access to data that would take months to gather by hitting schools individually. Research from Inside Higher Ed confirms that Canvas is used by 41 percent of colleges and universities in North America. This shows how vulnerable the education sector is to a single vendor failure.
School districts often lack the technical resources to audit these companies thoroughly. A report by the Office of the Information and Privacy Commissioner regarding the PowerSchool breach noted that the main failure was not what vendors promised in their contracts, but a lack of oversight to ensure they met those commitments in practice.
What This Means for Families
While the Canvas breach did not expose financial details or Social Security numbers, it still presents major risks. When hackers steal student names, email addresses, and class schedules, they can craft convincing, personalized phishing attacks. For example, a student might receive an email that looks exactly like a message from their advisor or teacher. This can trick them into revealing passwords or downloading malware.
For parents, the scale of these breaches means bad actors are compiling their children's digital footprints. Unlike adults, minors rarely monitor their credit or identity profiles. Stolen personal data can be used for fraud that goes unnoticed for years.
What You Can Do
Parents and educators can push district administrators to implement repeatable assessment strategies. For instance, the FERPA risk checklist forces IT teams to verify how vendors process and delete student data before signing contracts.
School boards must also require Data Processing Agreements (DPAs) in all edtech contracts. This ensures schools retain audit rights and can verify that data is encrypted both in transit and at rest.
Finally, teachers and parents should teach students how to spot sophisticated phishing emails. Students must learn to verify any unexpected request for information or links directly with their teacher or school portal, rather than clicking on links in emails.