If your child's school uses Canvas — and there's a good chance it does — a cyberattack may have exposed their personal information. The popular learning management system, used by over 14 million K-12 students and 7 million college students around the country, was hit by a breach that could affect millions of students, teachers and staff members.
Instructure, the Utah-based company behind Canvas, said that highly sensitive information like Social Security numbers and financial data does not appear to have been compromised. However, experts warn the stolen information could still be used to target students and their families with highly convincing phishing scams.
What we know about the breach
On May 1, Instructure disclosed it had experienced a cybersecurity breach on April 29. The company said it believed the breach had been contained by May 2, though it later acknowledged additional unauthorized activity tied to the same incident.
The group claiming responsibility for the cyberattack is ShinyHunters, an infamous hacking and extortion group linked to several major data theft campaigns in recent years, including the 2024 Ticketmaster breach tied to Live Nation and a 2025 theft of data from Google cloud storage.
How People Are Protecting Their Digital Identities Right Now
Attackers replaced parts of the Canvas login experience Thursday with a ransom note threatening to publicly release stolen data unless payment was made by May 12. Canvas, Canvas Beta and Canvas Test were temporarily placed into maintenance mode during the disruption, which coincided with final exams at many schools.
On its leak site, ShinyHunters claims the Canvas attack affected nearly 9,000 schools worldwide and exposed the data of 275 million people. Cybersecurity researchers, though, urge consumers to exercise caution, as those numbers have not been independently verified and may be exaggerated — a common tactic among financially-motivated hacking groups.
Instructure said it has not found evidence that additional data was stolen during the most recent incident.
The information that was compromised
According to Instructure, the compromised information appears to include usernames, school email addresses, student ID numbers and messages exchanged through Canvas. The company says it found no evidence that passwords, dates of birth, government identifiers or financial information were involved.
That's important because it lowers the immediate risk of direct identity theft. Moreover, while Canvas users don't typically upload financial information like credit card numbers to the platform, student ID numbers exposed in the breach could potentially be used to look up or access a student's financial aid profile at their institution, depending on how their school manages that information.
But experts say the exposed data could still be valuable to scammers.
Attackers could send highly convincing phishing emails or text messages posing as teachers, administrators or classmates. A fake message asking a Canvas user to update account information or pay a fee will look much more legitimate if it references actual teachers or classes.
Steps students and parents can take now to protect themselves
There are lists of schools affected by the Canvas data breach floating around. But the best way to confirm whether your school was included is to contact your college, school or district administration, or check for any official communication from Canvas or Instructure.
How People Are Protecting Their Digital Identities Right Now
The biggest immediate risk to you or your family is phishing. Be cautious about emails or texts claiming to come from a school or Canvas that ask you to click links, confirm passwords, open attachments or send money. Instead of using links from messages, navigate directly to your school's official website. Genuine Canvas support emails end in @instructure.com, while institutional emails or support from school IT will use their own domain, like @university.edu.
Parents whose schools were affected may also want to consider placing a credit freeze on their child's credit file through Equifax, Experian and TransUnion. Child identity theft can go unnoticed for years because minors rarely check their credit. A freeze is free and prevents new accounts from being opened in your child's name.
College students whose institutions were affected should consider doing the same. Anyone with an active credit file has something to protect.
If you're concerned about broader exposure, you can also look into identity theft monitoring services, which scan dark web marketplaces and data broker databases for your personal information and alert you if it surfaces. Many offer family plans that cover minors — a useful feature given that a child's data can sit dormant for years before anyone tries to exploit it.
More from Money
What Is a Data Breach and How to Prevent It
