280 Million Student Records Exposed in Instructure/Canvas Data Breach

What Happened

A cyberattack on Instructure, the company behind the widely used Canvas learning platform, has exposed personal information from 280 million student and staff records across nearly 9,000 schools. This is one of the largest educational data breaches in history. If your child's school uses Canvas for online learning, assignments, or grade tracking, their information may have been compromised.

The Details

Instructure confirmed that hackers gained unauthorized access to their systems and extracted a massive database containing student and staff information. Canvas is used by K-12 schools, colleges, and universities across the United States and internationally for everything from homework submissions to grade reporting.

The exposed data includes names, email addresses, school enrollment information, and potentially other personal details stored in the platform. While Instructure has stated that Social Security numbers and financial information were not included, the combination of names, emails, and school affiliations creates serious risks. Cybercriminals can use this information for targeted phishing attacks, identity theft, and social engineering scams aimed at children and families.

The breach affects records spanning multiple years, meaning even students who have graduated or changed schools may be impacted. This vast treasure trove of education data is now circulating on dark web forums, where criminals trade and sell stolen information.

Who Is Affected

If your child attends a school that uses Canvas, assume their information was part of this breach. Canvas is one of the most popular learning management systems in education, used by thousands of school districts nationwide. Teachers, administrators, and other school staff who use the platform are also affected.

Parents should be particularly concerned if they have elementary or middle school children. Younger children's identities are prime targets for criminals because fraud can go undetected for years until the child applies for college loans or their first credit card.

What You Should Do Right Now

1. Contact your child's school and ask directly whether they use Canvas or any Instructure products. Request information about what specific data was stored in the system and what steps the school is taking to protect students.

The Bigger Picture

Educational institutions have become major targets for cybercriminals precisely because they house such valuable personal information about children. Schools often lack the cybersecurity resources of corporations, making them vulnerable. This breach reminds us that our children's digital footprints begin early and require active protection from parents.

As more learning moves online, families must stay informed about where children's data lives and how it's protected. The days of assuming schools handle digital security are over.

How GetCyberRight Can Help

Navigating child identity protection can feel overwhelming, especially during a crisis like this. Our Child Identity Theft Protection Guide provides clear, step-by-step instructions for freezing your child's credit with all three bureaus, setting up monitoring systems, and recognizing warning signs of identity theft. It's specifically designed for parents dealing with educational data breaches and includes template letters and direct contact information to make the process as simple as possible.