Major Business Data Breach Exposes 275 Million Education Records This Week

ShinyHunters targeted educational vendor Instructure, compromising Canvas systems used by 41% of North American schools. The attack exposed 275 million records containing student and staff data across 9,000 institutions.

This week brought a devastating reminder of how vendor relationships can become the weakest link in business security. The criminal extortion group ShinyHunters breached Instructure, owner of Canvas learning management system used by 41 percent of higher education institutions across North America. The scale is staggering: nearly 9,000 schools worldwide and compromised personal identifying information of 275 million people, including students, teachers and staff.

Canvas Breach Demonstrates Vendor Risk Amplification

ShinyHunters threatened to leak "Several billions of private messages among students and teachers and students and other students involved, containing personal conversations and other [personal identifying information]". The company had preliminarily concluded that the breach involved names, email addresses, student ID numbers, and messages exchanged among users. The attack followed a familiar pattern: instead of targeting individual campuses, attackers are moving up the data supply chain to the platforms that sit underneath thousands of institutions at once.

Supply Chain Attacks Target Critical Business Vendors

This isn't an isolated incident. Last fall, hackers linked to the group breached Salesforce and claimed theft of some one billion customer records across dozens of companies—including Instructure. In March, ShinyHunters infiltrated Infinite Campus, a widely used K–12 student information system. And in April, it took credit for accessing internal data at the publisher McGraw Hill. April 2026 was dominated by supply-chain compromises and OAuth abuse. Two major U.S. banks were hit through a shared third-party vendor.

OAuth Permissions Create New Attack Vectors

A concerning trend emerged in vendor breaches this week. One employee granting broad Workspace permissions to a third-party AI tool gave attackers an inherited trust path into Vercel. The breach was not discovered by Vercel's security team; it was discovered when the attacker chose to monetize publicly. Most companies have no inventory of which third-party apps their employees have authorized.

What Individuals Should Do

If you received Canvas credentials or work at an affected institution, verify your account security immediately. Change passwords on any accounts that use the same credentials as your Canvas login. With access to real names, email addresses and even teacher-student messages, the next wave of phishing will not be generic. It will reference real courses and real conversations, which makes it far more likely to succeed. Be especially suspicious of emails referencing specific classes or conversations from your Canvas account.

What Businesses Should Do

The Canvas incident reveals a critical gap in vendor risk management. Your vendor's security posture is now your security posture. Third-party risk isn't a compliance checkbox — it's your actual attack surface. Businesses must move beyond annual vendor assessments to continuous monitoring of supplier security incidents. List every vendor, contractor, and SaaS application that touches your data or network. Classify each by risk based on data sensitivity and access level. Create incident response plans specifically for vendor breaches, including procedures to quickly revoke access and assess downstream impact.