Though their investigation was still ongoing as of May 12, Instructure shared that unauthorized parties had obtained access to Canvas on April 29 and May 7, including information like usernames, email addresses, course names and internal messages; however, the company said student work, credentials and course content were uncompromised. Though not explicitly identified by Instructure, the data extortion group ShinyHunters claimed credit for the attack, according independent security researchers at Cybernews and BleepingComputer.
On May 11, Instructure shared on its website that it struck a deal with the hackers, which included the recovery of the stolen data and digital verification — known as "shred logs" — that they had destroyed all extorted information. Instructure was also told that no customer data would be released or held for ransom, and the company's website told Canvas users that there's no need to personally engage with the attackers.
According to some data security experts, the breach not only raises questions about how hackers navigated systems designed to connect users across educational environments, but also whether ed-tech companies respond to cyber incidents in a timely and productive manner.
In an update on Instructure's website this week signed by CEO Steve Daly, he committed to more transparency in the future.
"Last week, we made a call to get the facts right before speaking publicly. That instinct isn't wrong, but we got the balance wrong. We focused on fact-finding and went quiet when you needed consistent updates. You've been clear about that, and it's fair feedback. We will change that moving forward."
Data security consultant Linnette Attai, who serves as project director for the Consortium for School Networking's Student Data Privacy initiative and Trusted Learning Environment program, said transparency was one of the biggest problems in the fallout of the recent Instructure hack. Despite the company's security-incident updates on its website, she said May 11 that the ed-tech community still did not know much about how the attack happened — which makes it all the more difficult to ensure it doesn’t recur or take place on another cloud platform.
“[Instructure’s] got FAQs on their website, but it’s not saying much, and they’re not saying they can’t share yet because of law enforcement or pending investigation," Attai said. “Their communication should be a subject of their own postmortem."
In an email to the Center for Digital Education, Elizabeth Laird, director of equity in civic technology at the nonprofit Center for Democracy and Technology, described the education sector as a “target-rich environment,” as schools and vendors collect highly sensitive information about tens of millions of Americans, including minors. She said the Canvas data breach stands apart from previous cyber attacks against schools — such as the 2024 PowerSchool hack that impacted tens of millions of students and staff — not only because of its scale, but also because of the sensitivity of the data exposed, particularly the private messages exchanged by students and teachers.
“It is not hard to imagine how deeply personal these messages could be, including details of a student’s disability, medical diagnoses, family tragedies or deaths, and other life events that were between two people and shared in a confidential and trusted environment,” she wrote.
The incident reflects a trend observed by a report in February by the technology research company Comparitech, which found overall cyber attacks on the education sector didn't move much from 2024 to 2025, but the number of records exposed rose sharply because of attacks on major ed-tech vendors.
The Instructure hack has also raised questions about how identity systems and interconnected workflows inside modern cloud platforms can create pathways for attackers, according to Jared Atkinson, chief technology officer at the cybersecurity company SpecterOps.
“What makes the Canvas incident significant is not simply that attackers may have abused a free account feature, but that a low-friction identity path appears to have become a route into higher-value institutional environments. The exact technical mechanism has not been publicly confirmed, but from an attack path management perspective, this is a reminder that identity risk is not limited to privileged administrators,” Atkinson wrote in an email to the Center for Digital Education. “Any identity, workflow, or feature that can cross a trust boundary can become part of an attacker’s path.”
These experts said the Instructure attack highlights longstanding concerns about the amount of sensitive information retained by education technology providers and the need for stronger incident planning.
“This unfortunate large-scale data breach reinforces the need for practicing data minimization, in which information like messages are not retained once they no longer serve an educational purpose, and planning for data incident responses, including setting expectations for when affected individuals will be notified,” Laird wrote in an email. She added that, under the Family Educational Rights and Privacy Act, schools share responsibility for safeguarding student information when they contract with ed-tech vendors.
To meet that responsibility, Laird recommended that schools assess the privacy and security practices of each vendor before adopting products, monitor their compliance over time, and ensure sensitive information is destroyed once it no longer serves an educational purpose. She added that companies themselves are legally required to follow data minimization practices, including limiting how long they retain student information.
Moreover, the Instructure breach comes at a time when schools are being encouraged to adopt various digital tools that collect data, including AI systems, while facing ongoing cybersecurity challenges.
“The federal government is responsible for potentially exacerbating security risks in schools as they are simultaneously pushing schools to rapidly adopt and deploy data-intensive AI tools while ... gutting cybersecurity resources that were previously made available to schools,” Laird wrote.
According to Attai, especially since Instructure has not disclosed the root cause of this breach — which she said has only made finding the right preventative measures for the future more challenging — the best way to mitigate further attacks is to return to, and emphasize, cybersecurity fundamentals. She said districts can do this by training employees, updating patches and fortifying endpoint protection, adding that schools and vendors, too, should conduct proper security and privacy assessments before signing a contract.
“We know what happened. We’re not really sure why it happened,” Attai said. “We need to demand better. There is a standard to meet when you’re working in education, and it means you must invest more in privacy and security ... because the cost of failure is devastating to education writ large, potentially.”
