The Biggest Student Data Privacy Disaster in History
Thursday afternoon, millions of students across thousands of universities and K-12 schools were locked out of Canvas, a popular piece of education technology software. ShinyHunters, a ransomware group, hacked the parent company of Canvas and reportedly accessed “billions” of messages and more than 275 million individuals’ data, according to the hacking group.
Later Thursday, Instructure, which makes Canvas, was able to mostly put Canvas back online; it is unclear if the company paid a ransom. The breach highlights the danger of centralizing educational and personal data in a single service. Canvas serves as a portal where teachers post assignments, lectures, have discussion boards, and students can message with each other and their teachers.
Instructure noted on an incident update page that the stolen data includes “certain personal information of users at affected organizations. That includes names, email addresses, student ID numbers, and messages among Canvas users.” Instructure also stated that it was breached twice—once on April 29 and again on Thursday.
Soon after the breach, I spoke with Ian Linkletter, a digital librarian specializing in emerging education technology, who has worked in EdTech for 20 years. He became known for exposing privacy concerns in Proctorio, a remote test proctoring software that gained prominence during the early days of the COVID-19 pandemic. In 2025, Linkletter was sued by Proctorio, but the case was eventually dropped.
Interview with Ian Linkletter
“At about 1:20 PM [Pacific, Thursday], people started posting screenshots to Reddit of this breach message. Some institutions were cautioning people to change their passwords if they were logged in; some senior administration at schools are in meetings talking about whether they need to cancel finals next week,” Linkletter said.
Linkletter explained that what made him frame the Canvas hack as “the biggest student data privacy disaster in history” was its scale and the sensitive nature of the stolen information. He noted that this type of widespread breach, where all data was compromised across many customers, had never happened before. The contents of messages could be used for phishing attacks, leading to personal information being exposed.
Linkletter added that messages between students and teachers often contained highly sensitive information such as medical conditions, accessibility accommodations, disputes, sexual assault allegations, and other personal circumstances. He emphasized the importance of warning students about the breach, arguing that schools should have alerted them sooner rather than waiting for another breach to occur.
Key Takeaways
- The Canvas hack represents a significant threat to student data privacy.
- Schools and educational institutions need to be more vigilant in protecting their students’ personal information.
- Widespread breaches of this nature highlight the risks associated with centralized education technology platforms.
- Students should have been warned about the breach sooner, as it could cause harm if not handled properly by schools.
Originally published at 404media.co. Curated by AI Maestro.
Stay ahead of AI. Get the most important stories delivered to your inbox — no spam, no noise.