Canvas Data Breach: ShinyHunters Hack Exposes 275 Million Student Records in 'Biggest Privacy Disaster'

On Thursday afternoon, millions of students at thousands of universities and K-12 schools were locked out of Canvas, a widely used education technology platform that serves as the central hub for many classes. The outage followed a ransomware attack by ShinyHunters, a hacking group that claimed to have stolen “billions” of messages and accessed data belonging to more than 275 million individuals.

The group also locked students out of the platform. By later Thursday, Instructure, the parent company of Canvas, reported that the service was mostly restored, though it remains unclear whether a ransom was paid.

This incident underscores the dangers of centralizing sensitive educational and personal data within a single service. Canvas functions as a comprehensive portal where teachers post assignments, host lectures, manage discussion boards, and facilitate student-teacher communication. It also integrates with other educational technology tools.

In a statement on its incident update page, Instructure confirmed that the stolen data included “certain personal information of users at affected organizations.” This information comprised names, email addresses, student ID numbers, and messages among Canvas users. The company also disclosed that it had been breached twice—first on April 29 and again on Thursday.

Expert Warns of ‘Biggest Student Data Privacy Disaster in History’

Following the hack, Ian Linkletter, a digital librarian specializing in emerging education technology, spoke about the breach’s implications. Linkletter, who has worked in EdTech for 20 years and is known for exposing privacy concerns in Proctorio—a remote test proctoring software—described the Canvas hack as “the biggest student data privacy disaster in history.”

Linkletter’s comments were made in an interview with 404 Media, which has been lightly condensed below:

Q: What do we know about the hack so far?

At about 1:20 PM [Pacific, Thursday], people started posting screenshots to Reddit of this breach message that they got. Some institutions were cautioning people to change their passwords if they were logged in. Right now, it just seems like people are in panic mode. Some senior administration at schools are in meetings talking about whether they need to cancel finals next week. The implications are on everything because schools are reliant on this learning management system for everything—communications, grading, finals, everything.

Q: You’ve worked in EdTech for 20 years and called this the biggest student data privacy disaster in history. What led you to that conclusion?

I supported Blackboard [a similar platform] way back in the day and I supported Canvas from about 2017 to 2022 when I worked at the University of British Columbia. When we switched to Canvas in 2017, it marked the shift from scrappy little self-hosted learning management system apps to a centralized, all-encompassing platform. That centralization is what makes this breach so catastrophic.

Linkletter previously gained attention for exposing privacy issues in Proctorio, a remote proctoring tool that gained prominence during the COVID-19 pandemic. He was sued by Proctorio but the case was ultimately dropped.