Ohio State Restores Canvas Access After Breach Exposes Names, Emails, and Student IDs

Context On April 29 and again on May 7, attackers exploited the Free-for-Teacher feature to gain unauthorized access to Canvas data. The tool lets educators create courses without a paid subscription and was temporarily suspended by Instructure after the incident. No evidence suggests passwords, dates of birth, government identifiers, or financial information were taken.

Key Facts - Personal data exposed: names, email addresses, and student ID numbers. - Ohio State students and educators regained access to CarmenCanvas on May 8. - Instructure stated trust is earned through actions and pledged to strengthen safeguards. - The hacker group ShinyHunters claimed responsibility, saying the breach impacted nearly 9,000 institutions globally. - Instructure is collaborating with the FBI, CISA, and a third‑party forensic firm to investigate and harden administrative controls.

What It Means The incident shows how a seemingly low‑risk feature can become a high‑impact attack vector when insufficiently segmented. Educational institutions relying on third‑party LMS platforms should review all integrated tools, enforce least‑privilege access, and monitor for anomalous API usage.

Mitigations - Disable or tightly restrict free‑tier or guest accounts until vendor patches are applied. - Enable logging and alerting for privilege escalation and data exfiltration tactics (MITRE ATT&CK T1078, T1041). - Apply the latest Instructure security advisories and consider multi‑factor authentication for all administrative interfaces. - Conduct regular third‑party risk assessments and verify data minimization practices.

What to watch next Watch for Instructure’s post‑mortem report, any updates on the Free‑for‑Teacher tool’s re‑release, and guidance from CISA on securing LMS integrations.