30 million users. That’s roughly the active base for Canvas. Instructure runs it. Thousands of U.S. schools use it to grade, teach, and manage chaos. Then hackers shut it down late last week.
The target was specific. Instructure’s “free for teacher” accounts got breached. Those are the portals giving educators direct access. The group ShinyHunters took credit. They claim 275 million stolen records. About 9,000 institutions involved. Security Week reported the numbers.
By Wednesday morning, Instructure announced a deal. The hackers would return the data. Or at least delete it digitally. The company said it received confirmation. Also, an assurance that customers wouldn’t face extortion. They didn’t mention paying a ransom. They just scheduled a webinar for “leadership” to discuss.
This isn’t new territory. Instructure admits it’s the second breach this year. Emails. Usernames. Course names. All exposed. Just when colleges are drowning in finals.
Canvas was back online Saturday. Six universities and dozens of school districts issued alerts though. CNN noted ShinyHunters set a Tuesday deadline for negotiations. It sounds familiar.
Why schools? Because they’re “target rich, resource poor.” Experts use those words often.
We rushed into edtech during the pandemic. No training. No safety nets. Now we wonder if we can trust these vendors. If Canvas can’t protect its own house, can the district?
Too often they serve as compliance theater
EdSurge called cybersecurity a top trend for 2025. Maybe that was optimistic. Attacks are spiking in higher ed and K-12. AI is making them sharper. 82 percent of K-Here is a K-12 org reported an incident recently. That’s according to the Center for Internet Security. Over 9,300 confirmations.
Here is how we got here:
- 2018: EU passed GDPR. Clear rules.
- 2022: Illuminate Education got hit. U.S. still had no national consensus. Just scattered state laws.
- 2022: LAUSD refused to pay ransom. Gang dumped 500 GB on the dark web. “Honey pots,” experts called schools.
- 2025: Early Trump administration. Cuts hit federal cybersecurity support. Districts say they are working “in the dark.”
- 2025: EdSurge reported districts fighting AI threats. Small schools are easy targets. The best defense is actually people. Not firewalls. People.
Douglas Levin puts it bluntly on social media. Current audits are weak shields. Compliance theater.
Staff needs training. Kids need awareness. But budgets are tight. The threats get smarter. The data stays risky.
What happens when the next alert hits at 3 a.m. on a Tuesday?
