A cyberattack on the company that owns the Canvas learning management system—used by K-12 schools and universities across the United States—has potentially put data from millions of students and teachers at risk.
It’s a substantial cyberattack that has echoes of the 2024 PowerSchool breach, said Doug Levin, the co-founder and director of K12 Security Information Exchange, a nonprofit focused on helping K-12 schools prevent cyberattacks. He had just gotten off a briefing call—the second one this week—with K12 SIX members about the incident.
“The last time we pulled people together like this was during the PowerSchool incident,” he said.
A hacking group by the name of ShinyHunters has claimed responsibility for the breach at Instructure, which owns Canvas. The company discovered the breach on April 29, according to an FAQ page on Instructure’s website.
ShinyHunters says it has accessed information from 9,000 schools worldwide, the Associated Press reports, and it has threatened to leak the data on May 12. Education Week could not confirm what ShinyHunters is demanding from Instructure to not publish the stolen data.
The attack led to Instructure taking Canvas offline on Thursday, wreaking havoc in higher education as many universities are in the middle of administering final exams and issuing end-of-semester grades. Many K-12 schools suffered disruptions as well.
Instructure said it has engaged outside forensic experts to investigate.
“Yesterday, Instructure discovered the unauthorized actor involved in our ongoing security incident made changes to the pages that appeared when some students and teachers were logged in,” the company said in a statement on Friday. “Out of an abundance of caution, we immediately took Canvas offline to contain access and further investigate. We have confirmed that the unauthorized actor exploited an issue related to our Free-For-Teacher accounts. As a result, we have made the difficult decision to temporarily shut down our Free-For-Teacher accounts. This gives us the confidence to restore access to Canvas, which is now fully back online and available for use.”
Orange County Public Schools in Florida is among the districts that have received notification of a potential breach from Instructure. The company told the district that names, email addresses, messages sent through the Canvas platform, and student identification numbers are among the data likely accessed by the hackers. There is no evidence, yet, that Social Security numbers, birth dates, or financial information were compromised.
Orange County schools notified families that it has temporarily disabled access to Canvas out of an abundance of caution, so students, teachers, and parents do not log into a system that could still be compromised. The district also warned parents to be on the lookout for scams and report any suspicious messages to the district.
Other school systems, from Arlington Public Schools in Virginia to San Diego Unified School District in California, were also notified by Instructure that they may have been affected by the hack, according to messages sent to parents.
Data breach is one of a growing number of high-profile hacking incidents
The data breach is the latest in a series of high-profile cybersecurity incidents with K-12 vendors from the past few years, such as the 2024 attack on PowerSchool, also a widely used learning management system.
PowerSchool quickly paid a ransom to guarantee the deletion of the stolen data, but the hacker proceeded to contact individual districts in attempts to extort them.
Matthew Lane, who was 19 and a college freshman studying cybersecurity and computer science when he hacked PowerSchool, was found guilty for the cyberattack in November.
The cybercriminals behind this most recent breach are also likely young. The Associated Press reports that ShinyHunters is a loose affiliation of teens and young adults from the United States and the United Kingdom. The group has previously targeted Infinite Campus and McGraw-Hill, according to the New York Times, but those breaches were more limited.
There were reports of students receiving extortion messages when they logged into Canvas in the afternoon on May 7, but later that day the demands were removed from ShinyHunters’ leak site, Levin said.
While the company has shared some information about the incident on its website, “that’s not enough information for people to make a judgment about [Instructure’s] security,” Levin said. “People are not in a position where they feel like Instructure has been forthcoming enough.”
Some districts across the United States are not letting students and staff access Canvas at the moment because they’re not confident in its security, Levin said. Others are using it to continue instruction but are closely monitoring the incident.
‘We have to do a lot of work’ to protect schools
Cyberattacks are becoming tougher to tackle as districts rely more heavily on the use of digital technology for instruction and operations. Cybercriminals are also becoming more sophisticated due to advances in technology, especially artificial intelligence.
Still, the best practices for defending a school’s network have not changed, cybersecurity experts said.
Districts need to do their due diligence before signing on to use a company’s product, thoroughly examine its cybersecurity and data privacy procedures, and set clear expectations in the contract for what happens after the company experiences an attack.
Districts should also regularly conduct technology risk assessments to identify and understand vulnerabilities, regularly back up data and store it offline, and train staff and students on cybersecurity best practices.
It’s important districts have a plan in the event of a hack that outlines how they would respond and notify the community, as well as how they would ensure learning can continue if their digital tools are disabled. Districts should practice this plan like they would for a fire drill.
However, it’s not fair to think that districts would be able to successfully defend against a hacker of this caliber, Levin said. ShinyHunters are “prolific, and they go after lots of targets in and out of education, including successfully compromising some of the largest companies in the U.S,” he said.
“We have to do a lot of work before we could have some assurance that we could keep [these kinds of threat actors] out,” he said. Districts need resources and support to put these best practices in place.
A majority of K-12 technology leaders (65%) say the top barriers to addressing cybersecurity challenges are insufficient staffing and lack of a dedicated budget, according to the U.S. State of EdTech 2026 report from the Consortium for School Networking. But the Trump administration has cut its investment in K-12 cybersecurity, and many state and local governments are facing budget shortfalls.
“The odds of experiencing an incident are quite high,” he said. “I can’t tell you when you might experience [it], but [with] the volume and the increasing severity of these incidents, it’s hard to ignore that this is an issue and will remain an issue until we more systematically address it.”
