Major data breach impacts schools across US

A major data breach targeting Instructure’s Canvas platform has exposed sensitive information from students and staff across U.S. schools, with the hacking group ShinyHunters claiming responsibility. The breach, disclosed by TechCrunch on May 5, involved the theft of data including names, email addresses, student IDs, and internal messages, though Instructure stated passwords, birthdates, and financial details were not compromised. ShinyHunters sent extortion messages to Canvas users, warning affected schools to contact them via TOX by May 12 to avoid public data release. The breach impacted dozens of colleges and universities nationwide, with Charlotte-Mecklenburg Schools alerted over the weekend. Instructure acknowledged the incident on its status page, confirming it contained and remediated the issue while keeping Canvas operational. However, some users, including those at Indiana University, reported difficulties accessing the platform on May 7, with Instructure noting isolated issues with Student ePortfolios. ShinyHunters claimed the breach occurred despite Instructure’s prior security patches and stated they had been targeting the company since 2019. The group also altered Canvas login screens to display their warning message. While Instructure assured there was no evidence of ongoing unauthorized access, the breach raised concerns about cybersecurity risks in educational institutions. The exact number of affected individuals remains unclear, though estimates suggest up to 9,000 schools could be involved. Districts like Charlotte-Mecklenburg Schools are reviewing the breach’s impact, with officials emphasizing no ongoing unauthorized access had been detected as of May 7.