RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: powerschool-comparison (3 articles)Clear
threat
2026-05-08

ShinyHunters is now extorting individual schools using stolen Canvas data - thousands of K-12 districts and universities receiving direct ransom demands

Update on the Instructure breach we covered May 4: ShinyHunters has shifted from extorting Instructure itself to extorting individual schools and universities with their own Canvas data. BleepingComputer and Krebs on Security report that 8,800+ institutions have received direct ransom demands referencing real student records, teacher accounts, and gradebook data from their own Canvas tenants. The campaign mirrors the 2025 PowerSchool aftermath. Some schools are receiving demands sized to the institution. Krebs notes affected schools are scrambling to comply with state student-privacy laws while negotiating with attackers.

instructurecanvasshinyhuntersfollow-upmass-extortion8800-schoolspowerschool-comparisonferpacoppastate-student-privacy-lawskrebs
Check
If your school uses Canvas, check whether you've received any direct extortion communications referencing real Canvas data since May 4. Audit Canvas API access logs for bulk data exports between February and April.
Affected
8,800+ schools, universities, and corporate training organizations using Canvas. K-12 districts face acute risk under state student-privacy laws (NY 2-d, California SOPIPA, ~130 similar statutes) plus COPPA for under-13 student data. Universities face FERPA exposure. Smaller institutions without legal counsel are most likely to pay rather than report.
Fix
Do not respond directly to extortion communications - report to FBI IC3 first and consult legal counsel before any contact. Notify affected students, parents, and faculty per state notification timelines (most require 30-60 days). Issue COPPA and FERPA notifications where applicable. Rotate Canvas API keys and re-authorize integrations. Track Instructure's response separately - many schools report the vendor unresponsive on individual cases.
breach
2026-05-03

Hackers tell schools to pay by Tuesday or 275 million students' messages and IDs go public - Canvas operator Instructure confirms breach

Update on the Instructure breach we covered May 2: Instructure confirmed Saturday that names, email addresses, student ID numbers, and private messages between students and teachers were exposed. ShinyHunters now claims 275 million individuals across 9,000 schools worldwide are in the dataset, totaling 3.65+ TB of data including billions of private messages. The group set a pay-or-leak deadline of May 6 - this Tuesday. The Salesforce instance was also breached. This is Instructure's second breach in eight months. PowerSchool's January 2025 breach with similar scope produced a $17.25 million settlement.

instructurecanvasshinyhunters275m-records9000-schoolsfollow-upmay-6-deadlinesalesforcesecond-breachpowerschool-comparisoncoppaferpa
Check
If your school or organization uses Canvas, prepare your student/parent breach notification template this week - Instructure data is likely to be public by Tuesday.
Affected
Schools, universities, and corporate training organizations using Canvas - 9,000 institutions globally, 275 million individuals. Acute risk for K-12 districts where data on under-13 students falls under COPPA and state student privacy laws (NY Education Law 2-d, California SOPIPA, ~130 similar state statutes). Salesforce-integrated Canvas tenants face additional exposure.
Fix
Rotate every Canvas API key and re-authorize integrations as Instructure has now mandated. Pull your district's Canvas data-sharing inventory and identify which downstream tools held copies. For K-12: prepare COPPA and state-AG notification templates now - PowerSchool's breach triggered class actions in 11 states. Brief students, parents, and faculty that any 'Canvas account verification' email this week is potentially hostile.
breach
2026-05-01

Instructure, the company that runs Canvas for schools and universities, says hackers breached its systems

Instructure disclosed Friday that a 'criminal threat actor' breached its systems. The company runs Canvas, the learning management platform used by schools, universities, and corporate training programs - and a successful breach exposes student records, teacher records, course content, and grades. Instructure has not said how many users are affected or what data was taken, only that outside forensics are investigating. Canvas Data 2 and Canvas Beta have been in maintenance since May 1, with customers warned about API key issues. The pattern matches the January 2025 PowerSchool breach, which exposed data on 62 million students and is still being followed by ransom demands against individual schools.

instructurecanvasedu-techschoolsuniversitiespowerschool-comparisondeveloping-storyapi-keys
Check
If your school or organization uses Canvas, audit which API keys you have integrated with Canvas and rotate any issued in the past 6 months as a precaution.
Affected
Schools, universities, and corporate training organizations using Canvas. Student records, teacher records, course content, gradebook data, and uploaded files are all in scope until Instructure confirms otherwise. Salesforce-integrated Canvas tenants may be at higher risk - 2025's Instructure incident traced to a Salesforce compromise.
Fix
Rotate Canvas API keys, especially for downstream tools (gradebook integrations, SSO, third-party plugins). Brief students, parents, and faculty that any 'Canvas account verification' email is potentially hostile - go to canvas.instructure.com directly. Request Instructure's incident notification timeline in writing and pre-prepare your own student/parent notification template.