Industry - Data Breach
Executive Summary
Canvas, an educational platform used by schools nationwide, suffered data breaches on April 29 and May 7 that exposed usernames, email addresses, student ID numbers, and communications from over 275 million users at nearly 9,000 schools. The hacking group ShinyHunters claimed responsibility for the April breach, and Canvas owner Instructure reached an agreement with the attackers to return and destroy the stolen data. In Pittsfield, Massachusetts, the breach disrupted the grade reporting syst...
What Happened
Canvas, an educational platform owned by Instructure, experienced two data breaches on April 29 and May 7, 2025. The hacking group ShinyHunters claimed responsibility for the April breach, which exposed usernames, email addresses, student ID numbers, and communications from over 275 million users across nearly 9,000 schools worldwide. Instructure reached an agreement with the attackers on May 11 to return and destroy the stolen data, though no evidence was found of data theft during the May 7 incident.
Who Is Affected
Over 275 million users at nearly 9,000 schools worldwide were affected by the April 29 breach. This includes students and teachers at institutions like Pittsfield Public Schools and Massachusetts College of Liberal Arts who use Canvas for course management and communication. The breach temporarily disrupted grade reporting systems, as API integrations between Canvas and other school systems like PowerSchool were disabled for security reasons.
Why It Matters
This breach represents one of the largest educational data compromises in scale, affecting hundreds of millions of students and educators globally. The incident demonstrates the vulnerability of centralized educational technology platforms that serve as critical infrastructure for schools, and highlights the emerging practice of paying cybercriminals to return stolen data. The exposure of student communications and identification information creates potential risks for identity theft and targeted phishing attacks against young users.
What You Should Do
If you or your child uses Canvas, monitor the email address associated with your Canvas account for phishing attempts or suspicious communications referencing school information. Change your Canvas password immediately and enable multi-factor authentication if available. Review any financial accounts or services where you may have used the same email address and student ID combination, and consider placing fraud alerts with credit bureaus if you are concerned about identity theft risks.
Summary generated from verified sources and reviewed before publication. How we summarize.
Sources
- Pittsfield Public Schools says secondary progress reports impacted by Canvas data breach - The Berkshire Eagle
- US Tiger Securities Data Breach Reported; Attorneys Investigating - ClassAction.org
- Glendora Surgery Center Data Breach Reported, Lawsuit Possible - ClassAction.org
- The Canvas breach proved that prevention is no longer enough
- Chairman Cassidy, Tuberville Seek Answers on Canvas Cybersecurity Incident, Calls for More Safeguards to Protect Students
Related Events
- Industry - Data BreachMay 11, 2026
Canvas, a widely-used learning management system, suffered a cyberattack that ex...
- Industry - Data BreachMay 4, 2026
Edtech Firm Instructure Discloses Data Breach Amid Hacker Leak Threats - Securit...
- Industry - Data BreachMay 3, 2026
Educational technology company Instructure confirmed a data breach exposing pers...
- Industry - Data BreachMay 13, 2026
Canvas, an educational platform used by thousands of universities, suffered a ra...