Hackers claim to have stolen data tied to roughly 275 million students, teachers, and staff from the Canvas learning platform.
Schools and universities worldwide may have been affected, with attackers reportedly accessing names, email addresses, student IDs, and private messages.
Cybersecurity experts say parents should monitor for phishing scams, freeze children’s credit when possible, and watch for suspicious account activity.
A major cyberattack targeting the education technology company behind the Canvas learning management system may have exposed the personal information of millions of students and educators worldwide, according to cybersecurity reports published this week.
Instructure, the company that operates Canvas, confirmed it experienced a cybersecurity incident affecting its cloud-hosted systems. According to Malwarebytes, a cybersecurity firm, the hacking group ShinyHunters has claimed responsibility for the breach and says it stole approximately 275 million records connected to students, teachers, and school staff.
Canvas is widely used by K-12 schools, colleges, and universities for coursework, messaging, assignments, and online instruction. According to reports, the hackers shared a list of nearly 9,000 educational institutions they claim were impacted.
Lots of data accessed
Security researchers say the exposed information may include names, email addresses, student identification numbers, course information, and private messages exchanged through the platform. Instructure has said there is currently no evidence that passwords, financial data, or government identification numbers were compromised.
The breach highlights growing cybersecurity concerns within the education sector, which experts say has become an increasingly attractive target for cybercriminals because schools hold large amounts of personal data while often operating with limited cybersecurity resources.
What parents should do
Parents whose children use Canvas or attend schools that rely on the platform are being urged to remain vigilant. Cybersecurity experts warn that stolen education records are often reused in phishing attacks and scams that appear legitimate because they reference real schools, teachers, or courses.
Malwarebytes experts recommend several immediate steps for families:
Carefully review any breach notifications sent by schools or districts.
Verify that emails or text alerts about the incident are legitimate before clicking links.
Change passwords for student accounts, especially if similar passwords are used elsewhere.
Enable multi-factor authentication whenever available.
Monitor email accounts for phishing attempts or suspicious messages referencing school activities.
Consider placing a credit freeze on a child’s credit profile where permitted by state law.
Parents are also advised to keep records of the breach notification because stolen student data can sometimes surface years later in identity theft or fraud schemes.
The alleged attack is one of the largest known education-related data breaches in recent years and follows a string of high-profile cyber extortion campaigns attributed to ShinyHunters, a group linked to multiple corporate breaches involving customer and employee data.