If your child’s school uses Canvas — and there’s a good chance it does — a cyber attack could expose their personal information. The popular learning management system, used by more than 14 million K-12 students and 7 million college students nationwide, has been hit by a breach that could affect millions of students, teachers and staff.
Instructure, the Utah-based company behind Canvas, said sensitive information such as Social Security numbers and financial data did not appear to have been compromised. However, experts warn that stolen information could be used to target students and their families in more convincing phishing scams.
What we know about breaking the law
On May 1, Instructure disclosed that it had encountered a cybersecurity breach on April 29. The company said it believed the breach had been contained by May 2, although it later acknowledged that there were other unauthorized actions associated with the same incident.
The group claiming responsibility for the cyberattack is ShinyHunters, a notorious hacking and extortion group that has been linked to several major data theft campaigns in recent years, including the 2024 breach of the Ticketmaster deal tied to Live Nation and the 2025 data theft of Google cloud storage.
The attackers replaced parts of the Canvas login experience on Thursday with a ransom note threatening to publicly release the stolen data unless payment was made by May 12. Canvas, Canvas Beta and Canvas Test were temporarily put into maintenance mode during the outage, which coincided with final exams at many schools.
On its leak site, ShinyHunters said the Canvas attack affected nearly 9,000 schools worldwide and exposed the information of 275 million people. Cybersecurity researchers, however, urge consumers to be careful, as those numbers have not been independently verified and may be exaggerated – a common tactic among financially motivated hacking groups.
Instructure said it has not yet received evidence that other data was stolen during the latest incident.
Compromised information
According to Instructure, the compromised information appears to include usernames, school email addresses, student ID numbers and messages exchanged through Canvas. The company says it found no evidence that passwords, birthdays, government identifiers or financial information were involved.
That is important because it reduces the immediate risk of direct identity theft. In addition, while Canvas users typically do not upload financial information such as credit card numbers to the platform, the student ID numbers disclosed in the breach may be used to view or access a student’s financial aid profile at their institution, depending on how their school handles that information.
But experts say the information revealed can still be useful to fraudsters.
Attackers can send phishing emails or text messages impersonating teachers, administrators or classmates. A fake message asking a Canvas user to update account information or pay a fee will look legitimate if it’s referring to real teachers or classes.
Steps students and parents can take now to protect themselves
There are lists of schools affected by the Canvas data breach floating around. But the best way to make sure your school has been included is to contact your college, school or district administration, or check any official contact from Canvas or Instructure.
The biggest immediate danger to you or your family is phishing. Be aware of emails or texts claiming to be from the school or Canvas that ask you to click on links, confirm passwords, open attachments or send money. Instead of using links from messages, navigate directly to your school’s official website. Actual Canvas support emails end with @instructure.com, while institutional or school IT support emails will use their own domain, such as @university.edu.
Parents whose schools are affected may also consider closing the debt on their children’s credit file through Equifax, Experian and TransUnion. Theft of children’s information may go undetected for years because children rarely check their credit. Setting it up for free also prevents new accounts from being opened in your child’s name.
College students whose institutions are affected should consider doing the same. Anyone with an active credit file has something to protect.
If you’re worried about wider exposure, you can also look into identity theft monitoring services, which scan dark web markets and data broker databases for your personal information and alert you when it appears. Many offer family plans that cover children — a useful feature given that a child’s data can sit dormant for years before anyone tries to exploit it.
More from Mali
What is a Data Breach and How to Prevent It
4 Steps to Protect Your Data After a Breach
What to Do When Your Information Is Found on the Dark Web
