Canvas Learning Platform Hacked, Exposing Data of Millions of Students

A cyberattack compromised personal data belonging to more than 275 million students and educators after hackers breached the Canvas learning platform used by nearly 9,000 schools and universities. The incident disrupted coursework, exams and communications during final-exam season at institutions across the United States and beyond.

The company that owns Canvas detected unauthorized activity on April 29 and linked the intrusion to an issue involving its Free-For-Teacher accounts. It took the platform offline on Thursday after login pages were altered, triggering widespread outages before restoring most services within hours.

Hackers linked to the ShinyHunters group said they infiltrated the system and exposed sensitive user data. The group targeted almost 9,000 schools, according to a ransom letter shared online. The company said names, email addresses, student ID numbers and private messages were compromised.

It added that there was no evidence passwords, Social Security numbers or financial data were exposed.

Schools now face a recovery process that could take one to four weeks as information technology teams determine whether the breach spread to internal systems. Some institutions have assumed the attack affected connected networks and are working to clean devices before restoring full operations.

Several universities temporarily disabled access to the platform while their IT departments assessed the breach. Others shifted to email, Microsoft Teams and cloud-sharing systems, waived late penalties or delayed exams after students lost access to assignments and course materials.

The company engaged outside forensic experts and notified law enforcement agencies including the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency. It has also temporarily shut down Free-For-Teacher accounts to restore confidence in the main platform, which is now fully back online.

Cybersecurity professionals have questioned how schools and the company could have prevented the breach. Technology exists that could have reduced the impact, though adoption varies across institutions. The incident has intensified scrutiny over reliance on a single centralized platform for critical academic operations.

Experts note that universities often connect sprawling networks of third-party tools to student records, coursework and communications systems, increasing potential exposure. Schools have warned students and faculty to watch for phishing emails and scams tied to the breach.

The company has not disclosed exactly how many institutions were directly affected, though it says Canvas serves more than 8,000 schools and universities globally. Questions remain about the full scope of the breach, whether additional systems were compromised and whether regulators or state attorneys general will investigate the exposure of student data.

The potential for legal fines and cyber insurance claims has also drawn attention. >"Yesterday, Instructure discovered the unauthorized actor involved in our ongoing security incident made changes to the pages that appeared when some students and teachers were logged in.

" — Company spokesperson (New York Post) The breach occurred at one of the most stressful periods of the academic year when professors, adjuncts and students depend heavily on the platform for grading, submissions and final assessments.