The Biggest Student Data Privacy Disaster in History: Canvas Hack Shows the Danger of Centralized EdTech
Canvas Hack Details
According to the hacking group, ShinyHunters, a ransomware group, hacked Canvas’s parent company and apparently stole “billions” of messages and accessed more than 275 million individuals’ data. The group also locked students out of Canvas.
Instructure noted on an incident update page that the stolen data includes “certain personal information of users at affected organizations.” This includes names, email addresses, student ID numbers, and messages among Canvas users. Instructure also noted that it was breached twice—once on April 29 and again on Thursday.
The hack impacted millions of students at thousands of universities and K-12 schools, with Instructure eventually restoring Canvas to some extent by Thursday evening. The breach highlights the dangers of centralizing educational and personal data in a single service like Canvas, which serves as a hub for assignments, lectures, discussion boards, and other education-related software.
Interview with Ian Linkletter
Ian Linkletter: At about 1:20 PM [Pacific, Thursday], people started posting screenshots to Reddit of this breach message that they got. Some institutions were cautioning people to change their passwords if they were logged in. It seems like people are in panic mode; some senior administrators at schools are in meetings talking about whether they need to cancel finals next week. The implications are on everything because schools rely heavily on Canvas for communications, grading, and other educational activities.
404 Media: What do we know about the hack so far?
Linkletter: At 1:20 PM [Pacific, Thursday], people started posting screenshots to Reddit of this breach message that they got. Some institutions were cautioning people to change their passwords if they were logged in. It seems like people are in panic mode; some senior administrators at schools are in meetings talking about whether they need to cancel finals next week. The implications are on everything because schools rely heavily on Canvas for communications, grading, and other educational activities.
404 Media: What do you think made you frame this as the biggest student data privacy disaster in history?
Linkletter: I supported Blackboard [a similar piece of tech] way back in the day. And what I was there for when we switched to Canvas in 2017 was the shift from these scrappy little self-hosted learning management system apps that would be on Canadian servers to this centralized, all eggs-in-one basket faith in a U.S. tech company. This idea that our data would be just as safe with them as it was when we had it. And because this move to the cloud happened so suddenly about 10 years ago, all of a sudden data got centralized. The only way I can think of that this type of hack where everything went down and so much was stolen would be if Instructure had access to everybody’s data, which doesn’t seem necessary. For it to be just so widespread across every customer is something we’ve never seen before.
404 Media: Can you elaborate on how the contents of messages could lead to phishing attacks?
Linkletter: I supported instructors that used Canvas. And so I would hear these stories like, and they’re on like the professor’s subreddit and stuff too, like students are telling you that people died [to explain absences]. There’s personal circumstances, medical circumstances, accessibility accommodations, disputes, sexual assault allegations, like all sorts of stuff would be getting reported to the instructor using Canvas. If that information is out across hundreds of millions of people, there’s a lot of harm that’s going to happen.
404 Media: What are you monitoring as this plays out?
Linkletter: My biggest concern right now is monitoring the institutional response. I feel very strongly that students should have been warned about this like days ago. And it just took this second hack where students got something in their face notifying them that really made schools respond. So I believe that students need to be warned or else they’re going to get harmed. And the longer schools wait to tell students about what’s going on, even the little that they know, the more stress and chaos and potential risk to student privacy and safety is at stake.
Key Takeaways
- The Canvas hack exposed billions of messages and data from over 275 million individuals.
- Instructure restored Canvas partially by Thursday evening but has been breached twice, once on April 29.
- This incident highlights the dangers of centralizing educational data in a single platform like Canvas.
- Student privacy and safety are at risk due to widespread exposure of sensitive information.
Originally published at 404media.co. Curated by AI Maestro.
Stay ahead of AI. Get the most important stories delivered to your inbox — no spam, no noise.