North Carolina Blocks Canvas Access After Threat Actor Exposes Student Names and IDs

TL;DR North Carolina disabled Canvas access for all public school users while investigators examine a breach that exposed names, student IDs, and user messages but left passwords and financial data untouched.

Context Users across the country reported seeing a message from the threat actor linked to the Canvas breach involving Instructure, the parent company of the learning management system. The message appeared for accounts tied to the North Carolina Department of Public Instruction, North Carolina Virtual Public School, and several local districts. As a precaution, the NC Department of Public Instruction and state cybersecurity officials removed Canvas access through the NCEdCloud portal while they investigate the incident and implement additional safeguards.

Key Facts The breach exposed names, student identification numbers, and messages exchanged between users, along with email addresses. Instructure confirmed that no passwords, birth dates, government‑issued identifiers, financial information, or Social Security numbers were accessed. The threat actor’s message was the first public sign of the intrusion, prompting the statewide block. Technical details released by Instructure indicate the actor leveraged an exposed internal API endpoint to enumerate user data, a technique cataloged as MITRE ATT&CK T1041 (Exfiltration Over Web Service). No specific CVE has been publicly attributed to the incident at this time.

What It Means School districts must treat the exposed identifiers as sensitive, even though passwords remain safe, and monitor for phishing or social‑engineering attempts that could misuse the data. IT teams should review API authentication controls, enforce least‑privilege access, and enable logging for anomalous data queries. Defenders should watch for any follow‑up communications from the threat actor, apply Instructure’s forthcoming security patches, and follow guidance from the NC Department of Public Instruction on restoring Canvas access safely.

What to watch next: updates from Instructure on remediation steps, any additional threat actor outreach, and official guidance from North Carolina on when Canvas access will be restored.