ShinyHunters claims nearly 9,000 schools affected by Canvas data breach

ShinyHunters, a cybercriminal group, claims to have stolen data from nearly 9,000 schools that use Canvas, the learning management system operated by Instructure. The group announced plans to release the compromised student information publicly.

Canvas serves hundreds of thousands of K-12 and higher education institutions nationwide. The platform hosts grades, assignments, attendance records, and personal student information. A breach of this scale would expose data from millions of students across the country.

Instructure confirmed it identified a security breach affecting some Canvas users in late September 2024. The company deployed incident responders and law enforcement to investigate. Instructure has not yet released a comprehensive list of affected institutions or details about what specific data was compromised.

ShinyHunters operates as a known data theft and extortion operation. The group typically steals data, threatens to release it publicly, and demands ransom payments. Previous ShinyHunters campaigns have targeted healthcare organizations, financial institutions, and technology companies.

Schools and districts rely heavily on Canvas for daily operations. Teachers use it to assign work and communicate with students. Parents and students depend on it to track progress and access class materials. A public data release could expose Social Security numbers, names, birthdates, addresses, and academic records of minors.

For affected institutions, the breach creates immediate operational and legal challenges. Schools must notify families about the incident. Districts face potential compliance violations under state privacy laws and the Family Educational Rights and Privacy Act (FERPA), which protects student education records. Some states impose notification deadlines ranging from 30 to 60 days.

Instructure urged users to change passwords and monitor accounts for suspicious activity. The company recommended enabling multi-factor authentication. Districts began auditing their security practices and communications with affected families.

This breach underscores the risk schools face when consolidating sensitive data on single platforms. As