Canvas Breach Forces Florida Schools Offline, Exposes 275 Million Student Records

Context The incident unfolded in early May across Tampa Bay and Central Florida, where dozens of K‑12 districts and higher‑education institutions rely on Canvas for coursework, grading, and communication. The breach was reported after the vendor, Instructure, detected unauthorized activity and alerted customers.

Key Facts - Hackers claim to have stolen 275 million records, including names, email addresses, student IDs and private Canvas messages. No Social Security numbers, passwords or financial data appear to have been taken. - Hillsborough County Public Schools (HCPS) and the University of South Florida (USF) immediately disabled Canvas on all district devices. HCPS warned families not to access the platform from personal devices and said the outage would last at least through the weekend. - The attack coincided with final exams, disrupting coursework for thousands of students. UCF, Embry‑Riddle and other Central Florida schools also reported temporary outages before restoring service. - Threat actors demanded a ransom, threatening to release the data by the following Tuesday. Instructure says the breach has been contained, but investigations continue. - Technical details remain limited. Early analysis points to a credential‑stuffing attack—using leaked usernames and passwords—to gain access to the SaaS environment. The pattern aligns with MITRE ATT&CK technique T1110 (Brute Force). No specific CVE (Common Vulnerabilities and Exposures) has been disclosed, suggesting the compromise leveraged valid accounts rather than a software flaw.

What It Means The scale of the data exposure highlights the risk of centralized education platforms that store millions of personal records. While passwords were not compromised, the breach reveals that private communications between students, teachers and parents are now searchable by unauthorized parties. Schools must reassess reliance on single‑vendor solutions and improve credential hygiene.

Mitigations – What Defenders Should Do 1. Enforce multi‑factor authentication (MFA) for all Canvas accounts; MFA blocks credential‑stuffing attacks. 2. Rotate passwords for all privileged and service accounts and require complex passwords. 3. Deploy credential‑monitoring services to alert on leaked credentials appearing on dark‑web forums. 4. Apply network segmentation to limit lateral movement if an account is compromised. 5. Review and tighten API token permissions; revoke any unused tokens. 6. Conduct a rapid audit of data stored in Canvas and purge unnecessary personal information. 7. Update incident‑response playbooks to include SaaS breach scenarios and coordinate with vendors for real‑time threat intel.

Looking Ahead Watch for Instructure’s forthcoming technical advisory, which may reveal additional indicators of compromise and guidance on forensic data collection. Schools should monitor for any public release of the stolen data and be prepared to notify affected families promptly.