The educational platform Canvas, widely used in American higher education, has been the victim of a massive data breach and hacking. Initial reports suggest that over 9,000 institutions and 275 million student data have been compromised in the United States, as well as in Canada.
Cyberattacks are now targeting the academic and student world. A few weeks ago in France, Crous confirmed a data leak affecting approximately 770,000 students. However, hackers claimed a much higher number of victims, close to 1.9 million, highlighting the potential extent of the breach.
More recently, universities across the Atlantic have been targeted. The Canvas educational platform, heavily used in American higher education, became inaccessible for several hours. Prestigious institutions like Stanford, Berkeley, Pennsylvania State University, and Columbia confirmed that their students, teachers, and staff could no longer access this central communication and educational management tool. The parent company, Instructure, stated that the platform was “currently inaccessible.”
According to Ransomware.live, an independent platform that tracks ransomware group activities, nearly 9,000 institutions and 275 million individuals may have been affected, with many personal data potentially compromised. The hacker group “ShinyHunters” claimed responsibility for the attack, as revealed by a ransom demand obtained by the Washington Post. The group allegedly stole data and threatened to release it if no payment was made.
“Biggest cybersecurity breach in the education sector”
In Canada as well, the cyberattack had repercussions. According to Radio-Canada, several educational institutions in Ontario, including the prestigious University of Toronto, were affected due to a vulnerability in the Canvas platform widely used for course distribution, sharing resources, and managing evaluations.
The scale of the incident raised serious concerns in the sector. David Shipley, CEO of Beauceron Security, stated to Radio-Canada that it could be the “biggest cybersecurity breach ever in the education sector,” describing it as an “incredibly destructive attack.” Millions of students, teachers, and staff could be affected by this data compromise.
Instructure, the platform’s parent company, explained that hackers initially gained access by exploiting a vulnerability linked to free accounts for teachers. Such intrusions are not unprecedented: in December 2024, the educational platform PowerSchool was also hacked. The company chose to pay a ransom to prevent the public release of compromised data, highlighting the persistent vulnerability of educational digital infrastructures.
