ShinyHunters claims nearly 9,000 schools affected by Canvas data breach

The hacking group ShinyHunters says it accessed student data from Canvas, Instructure's learning management system, affecting nearly 9,000 schools nationwide. The group claims it will release the stolen information.

Canvas serves millions of K-12 and higher education students across the United States. The platform hosts assignments, grades, attendance records, and other sensitive educational data. Instructure, the company that owns Canvas, has not yet released a full accounting of the breach's scope or confirmed the exact number of affected institutions.

ShinyHunters has a history of targeting educational technology companies and healthcare providers. The group typically demands ransom payments before threatening to release stolen data publicly. Past breaches claimed by ShinyHunters have exposed personal information including names, email addresses, and in some cases, Social Security numbers.

Schools using Canvas store substantial amounts of student data on the platform. A breach of this scale could expose records across multiple states and affect students of all ages, from elementary through graduate school. Parents and educators have expressed concern about the security of educational technology platforms that hold sensitive family information.

Instructure has not released details about how the breach occurred, when it was discovered, or what specific data categories were compromised. The company typically works with law enforcement and cybersecurity firms to investigate such incidents. Schools affected by breaches are generally required to notify families under state data breach notification laws, though timelines vary by jurisdiction.

This incident adds to growing concerns about cybersecurity in K-12 and higher education. Schools have become frequent targets for ransomware attacks and data theft in recent years. Budget constraints often limit schools' ability to invest in robust cybersecurity infrastructure and staff training.

Students and families affected by the breach should monitor their accounts for suspicious activity and watch for phishing attempts. Those concerned about their data exposure can contact their school or district for specific information about what was compromised and what protective