Canvas outage after breach spotlights weak school security

Canvas breach – Hackers breached Instructure’s “free for teacher” Canvas account, interrupted service, and claimed to steal 275 million records from about 9,000 education institutions worldwide. Instructure says it has reached a deal with the group, confirmed data destruction

Late last week, Canvas—the learning platform used by schools and colleges across the United States—went suddenly offline. For many students, the timing landed around finals. For teachers. it was the kind of disruption that doesn’t just interrupt classes; it breaks study plans. delays feedback. and forces last-minute scrambling when every deadline feels unforgiving.

Instructure, the company behind Canvas and a learning management system with 30 million active users, later said the outage followed a breach of a “free for teacher” account—one of the accounts offered specifically to give teachers access to Canvas courses.

The claimed scale is what has kept the story moving. The criminal hacking group ShinyHunters says it stole 275 million records from roughly 9. 000 educational institutions worldwide. a claim reported by Security Week. Instructure has not publicly detailed any tradeoffs in its response. but the company did say that it reached a deal with the hackers to return the stolen data. In a note released at the beginning of this week. Instructure said it received digital confirmation of data destruction and assurance that none of its customers would be extorted.

The note did not say what Instructure gave in return. It also announced a webinar with “Instructure leadership” scheduled for Wednesday.

For schools, the practical impact has been broader than a single platform outage. Instructure said the most recent breach included customer data—teacher and student email addresses, usernames, enrollment information, and course names. The company also described this as the second data breach within the year.

Canvas returned online as of Saturday, according to a note posted on Instructure’s website about the incident. But even after the service came back, the aftershocks kept spreading through school communities. At least six universities and school districts in a dozen states sent out alerts saying they had been impacted by the attack. according to reporting from CNN.

Before Instructure’s deal. CNN reported that ShinyHunters had set a Tuesday deadline for schools to “negotiate a settlement.” That deadline—and the need for schools to respond to threats tied to outside vendors—has put an uncomfortable spotlight on a reality many districts already feel: when vendors are attacked. schools can quickly become the ones absorbing the risk.

Experts have long warned that education is a tempting target for hackers. describing it as “target rich. resource poor.” That imbalance is showing up in the numbers. Cybersecurity was identified as a top concern in EdSurge’s 2025 trends forecast. and the frequency of attacks has increased in recent years against both higher education and K-12 schools. A 2025 report from the Center for Internet Security found that 82 percent of K-12 organizations reported a cyber security incident. with 9. 300 confirmed incidents.

The Canvas case lands amid deep frustration over how much schools have depended on educational technology since pandemic closures forced districts to rush into digital instruction and tools. Some observers are now asking whether schools have enough trust—and enough control—to respond quickly when the threat isn’t coming from within their own walls. but from the vendors that host essential learning systems.

The wider timeline makes the unease harder to dismiss. In 2022, a cyberattack against Illuminate Education spread widely. That same year. after the European Union passed the General Data Protection Regulation. or GDPR. experts pointed to a gap in the U.S.: during the Illuminate attack. they noted the U.S. lacked a national consensus, even as states began passing legislation.

Later in 2022. after a major attack against Los Angeles Unified School District—one of the largest in the country—experts warned that schools can be “honey pots of highly sensitive information.” In that incident. a ransomware gang dumped 500 GB of files. including sensitive student and teacher information. on the dark web when the district refused to pay.

In 2025, early into the Trump administration’s second term, experts noted that coordinated federal attacks had been affected by cuts, weakening federal support for schools. At the time, districts described operating “in the dark” with an uncertain future around cybersecurity issues.

In a two-part EdSurge series. “Under Siege: How Schools Are Fighting Back Against Rising Cyber Threats. ” reporter Ellen Ullman found that many schools still struggle with the fundamentals of cybersecurity. with small schools becoming attractive targets for cyber criminals. Ullman’s reporting also pointed to a grim lesson: schools often have to learn that the first line of defense against scams is humans.

For those trying to make sense of the latest wave of breaches. the debate has sharpened into something more direct than policy talk. Douglas Levin. national director of K12 Security Exchange Information. wrote on social media that audits and certifications too often function as “compliance theater” and “weak shields against liability.”.

That argument echoes the pressure schools now face as attackers grow more sophisticated. and as education systems scramble to protect student data despite limited time. limited staff. and limited budgets. The latest Canvas attack has renewed attention. but it also underlines a longer truth: cyberattacks against schools are not a new concern—and every return to online normalcy doesn’t erase the next risk waiting just beyond the login screen.

Canvas Instructure cybersecurity education technology ShinyHunters data breach K-12 schools higher education ransomware EdSurge Center for Internet Security GDPR