Canvas Hack: How to Know if Your Personal Info Is at Risk

A recent cyberattack on Canvas, a widely used learning management system, has potentially compromised the personal information of millions of students, teachers, and staff. The platform serves over 14 million K-12 students and 7 million college students across the United States. Instructure, the company that operates Canvas, announced the breach on May 1, revealing that it had occurred on April 29, and reported that the issue was largely contained by May 2. However, the attack was linked to additional unauthorized activity later discovered.

The hacking group ShinyHunters claimed responsibility for the incident. They replaced parts of the Canvas login screen with a ransom note, demanding payment to prevent the release of stolen data by May 12. Claims from ShinyHunters indicate that the breach impacted approximately 9,000 schools globally, affecting around 275 million individuals. Nevertheless, cybersecurity experts caution that these figures may be exaggerated.

According to Instructure, the information compromised includes usernames, school email addresses, student ID numbers, and messages sent through Canvas. They confirmed that sensitive data such as Social Security numbers and financial details were not involved, which reduces the immediate risk of identity theft. However, the exposed information could still facilitate phishing scams, as attackers may impersonate teachers or school staff to solicit further personal information from students and parents.

To mitigate risks, students and parents are advised to confirm whether their school was affected, avoid clicking on suspicious emails or texts, and consider placing credit freezes on their children’s credit files to protect against identity theft.

Why this story matters