Canvas LMS breach exposes data of 275 million users across nearly 9,000 schools

Canvas LMS is a cloud‑hosted learning management system used by K‑12 districts, colleges, and training providers as the central hub for coursework, grades, and communication. Its widespread adoption creates a single point of failure; when the vendor’s service is interrupted, entire campuses lose access to instructional materials and assessment tools. The breach highlights how deep reliance on a SaaS monoculture can amplify both data exposure and operational disruption.

- ShinyHunters, a known extortion group, announced the theft of approximately 3.65 TB of data linked to 275–280 million Canvas users. - The compromised set includes names, institutional email addresses, student ID numbers, and private messages exchanged inside Canvas; Instructure says there is no evidence that passwords, birth dates, government IDs, or financial data were taken. - The attacker’s list names nearly 8,800 to 9,000 educational institutions across North America, Europe, the U.K., and Australia. - Instructure took Canvas offline during the incident, which halted exams, grading, and course delivery at many schools, according to multiple news reports. - No public CVE has been released; the initial attack vector remains undisclosed, though the group’s typical tactics involve credential abuse and exploitation of exposed services.

The leaked personal identifiers and message histories enable highly targeted phishing, impersonation, and harassment campaigns. Because the data includes real course details and internal communications, attackers can craft convincing lures that reference specific classes or instructors, increasing the likelihood of credential theft or account takeover. Long‑term risk arises from correlating this information with other breaches to build richer profiles for future social engineering or identity‑theft attempts.