The hacker group ShinyHunters claims to have obtained and plans to release personal data belonging to students from approximately 9,000 schools across the United States. The group accessed this information through a breach of Canvas, the learning management system operated by Instructure.

Canvas serves as a central hub for many K-12 and higher education institutions, storing student grades, assignment submissions, personal information, and communication records. Instructure has not yet confirmed the exact scope of the breach or the number of affected institutions.

ShinyHunters, a known cybercriminal group with a history of targeting educational technology companies, announced the planned data release on underground forums. The group typically extorts companies for payment before releasing stolen information publicly.

School districts and universities that rely on Canvas face potential exposure of sensitive student data, including names, email addresses, enrollment details, and academic records. Parents and students at affected institutions may be vulnerable to identity theft, phishing attacks, and other forms of fraud if the data is released.

Instructure has advised affected institutions to reset passwords and monitor accounts for suspicious activity. The company typically notifies customers directly when breaches occur, though the full notification process can take weeks.

This breach highlights ongoing security challenges in the education technology sector. Schools and universities have become frequent targets for hackers seeking valuable personal data or attempting to disrupt learning operations. Many districts operate with limited cybersecurity budgets and outdated infrastructure, making them attractive targets.

Institutions affected by the Canvas breach should take immediate action to alert students and parents, provide credit monitoring services where appropriate, and conduct thorough security audits of their systems. Education leaders also face pressure to implement stronger vendor management practices and cybersecurity protocols to protect student information.