A Cyberattack Inside the Classroom
It started quietly on April 30, 2026, when teachers and students across the country noticed that tools connected to their school’s learning platform were not working. By the next day, the reason became clear. Canvas, the company behind the most widely used learning management system in the country, confirmed that a criminal hacker group had broken in and stolen an enormous amount of data.
Stop what you are doing. If your child does homework through Canvas, this one is for you. And tell every parent you know.
For students, parents, teachers, and staff at several York and Lancaster County institutions, this breach is not an abstract national story. It is personal.
YoCo News has reached out to all locally affected institutions and will provide updates as responses are received.
Who Is Canvas and What Do They Do?
Most students, parents, and teachers know Canvas simply as the platform they log into to access coursework, submit assignments, message teachers, check grades, and participate in class discussions. Very few know the company behind it.
Canvas is a Salt Lake City-based education technology company that launched its learning platform in 2011, disrupting the learning management system market and growing to become the world’s dominant platform in its category. Canvas is used by 41% of higher education institutions across North America to deliver courses, and it has expanded deeply into K-12 education as well. More than 7,000 universities, K-12 districts, and education ministries worldwide rely on it. In 2020, private equity firm Thoma Bravo acquired Canvas for $2 billion, and the company was later acquired by KKR. In plain terms, Canvas is a massive, privately held technology company that quietly sits at the center of how tens of millions of students experience education every day, which is precisely what makes this breach so significant.
Who Uses Canvas Locally and Who Does Not
In York and Lancaster Counties, the following institutions use Canvas and may be affected by this breach:
Potentially affected local institutions: Clinton College, Rock Hill School District, York School District, Clover School District
Not affected — these institutions use different platforms: Fort Mill School District uses Google Classroom. Winthrop University uses Blackboard. Lancaster County Schools District use Google Classroom. York Technical College uses D2L/Brightspace. USC Lancaster uses D2L/Brightspace.
Who Is Behind This Attack and What Did They Steal
This is one of the biggest school cyberattacks in history. The hacker group ShinyHunters says they stole 3.65 terabytes of data — 275 million students, teachers, and staff at nearly 9,000 schools worldwide. Names. Email addresses. Student ID numbers. And several billion private messages between students and teachers. Every chat. Every late-night homework question. Every sensitive conversation a struggling student had with their teacher about a grade, a family situation, or a personal crisis.
ShinyHunters warned that Canvas could anticipate a leak of several billions of private messages among students and teachers, and between students, containing personal conversations and other personally identifying information if their ransom demands were not met. The hackers gave Canvas 48 hours to pay or threatened to leak everything publicly.
Regular readers of Dr. Tom’s column will recognize ShinyHunters immediately. This is the same group behind the Amtrak breach covered in last week’s column, as well as recent attacks on Cisco, Hallmark, Rockstar Games, and multiple investment advisory firms. They are one of the most prolific and aggressive criminal data extortion operations on the planet right now, and their pace is accelerating.
Canvas first detected service disruptions affecting tools relying on API keys on April 30, 2026, and by May 1 confirmed that the incident was perpetrated by a criminal threat actor. On May 3, ShinyHunters listed Canvas on its data leak site, claiming responsibility and alleging the theft of more than 3.65 terabytes of data.
Making the situation even more alarming, this is Canvas’s second confirmed breach in approximately eight months. In September 2025, the same group exploited a social engineering attack against the company’s Salesforce environment, raising serious questions about whether remediation efforts following the first breach were sufficient.
How Did They Get In
There is an important and sobering detail about how the attackers may have accessed this data. According to published claims, the data was obtained through Canvas data export APIs and provisioning reports — legitimate administrative interfaces built into the platform — rather than through a direct software exploit. When accessed with compromised credentials or through misconfigured access controls, these administrative tools can extract large volumes of structured personal data without triggering intrusion detection systems designed to flag anomalous software behavior.
In plain English: the hackers did not necessarily need to break down the front door. They may have walked in through a side entrance that was left unlocked, using stolen employee credentials to access tools that were designed to export data in bulk. Once inside, they could vacuum up millions of records quietly, without setting off any alarms.
Canvas confirmed that passwords, dates of birth, government identifiers, and financial information were not involved in the breach. However, what was exposed is more than enough to cause serious harm.
What Risks Do Students, Parents, and Staff Face
Data breaches involving student and educator information can create serious risks of targeted phishing, identity theft, impersonation, and social engineering attacks. With names, institutional email addresses, student ID numbers, and private messages in the wrong hands, attackers can craft highly convincing scams that appear to come from a school administrator, teacher, or classmate.
Here is what that looks like in practice. A criminal who knows your child’s name, their school, their teacher’s name, and the actual contents of private messages exchanged on the Canvas platform can send a shockingly convincing fake email appearing to come from that teacher. It might ask for personal information, a password reset, or even a payment. That same criminal can use a student ID number combined with other personal details to attempt fraudulent financial aid applications or scholarship scams targeting college students.
The private message data is the element that makes this breach particularly dangerous. Most phishing emails are easy to spot because they are generic. A criminal armed with the actual content of your child’s private school conversations is anything but generic.
Five Steps to Take Tonight
1. Turn on multi-factor authentication wherever it is available. This is the single most important step you can take right now. If your school’s Canvas login, student email, or any connected account offers multi-factor authentication, also called MFA or two-step verification, enable it immediately. Phishing-resistant MFA is the only category that survives the adversary-in-the-middle attack kits behind these phishing waves. Even if a criminal has your username and password, MFA stops them from getting in. Check your Canvas account settings, your school-issued email account, and any student portal your institution uses.
2. Change your Canvas password right now. Although Canvas says passwords were not directly stolen, changing your password and forcing a re-login on every device closes the door on any session tokens that may have been exposed. Make sure the new password is unique to Canvas and not reused from any other account.
3. Watch for phishing emails that seem to know too much. Be extremely suspicious of any unexpected email arriving at a school or college email address asking you to click a link, reset a password, confirm personal information, or make any kind of payment. A phishing email that references your child’s teacher by name, mentions a specific class, or quotes something from a private Canvas message is not a sign the email is legitimate. It is a sign a criminal has read your data and is using it to appear trustworthy. Avoid clicking links in unsolicited messages. Instead, open a new browser window and go to the official site as you normally would, then log in from there to check for messages.
4. Talk to your kids about this tonight. Children are often the first target of follow-on scams after a school breach because they are less likely to question a message that appears to come from a teacher or classmate. Make sure your child knows not to click any unexpected links in their school email, not to share passwords with anyone, and to come to you immediately if anything seems strange.
5. Contact your school’s IT department if you have concerns. If you receive a suspicious email appearing to come from a school administrator, teacher, or classmate, report it to your school’s IT department before clicking anything. Parents of younger children should expect formal notification from their school district. Under the FTC’s updated Children’s Online Privacy Protection Rule, which took effect April 22, 2026, schools handling data for children under 13 face tightened consent and breach notice requirements and a shorter notification clock. Do not hesitate to contact your district directly if you have not heard anything within a reasonable time.
Bonus step for college students and families: Monitor financial aid accounts and student loan portals for unfamiliar activity. Student ID numbers combined with personal details can be used to submit fraudulent financial aid applications.
The Tega Cay Sun has reached out to Clinton College, Rock Hill School District, York School District, and Clover School District for comment and will update this article as responses are received.
Stay safe out there, and I will see you next week!
Feeling lost in the digital world? Dr. Tom is here to help!
Sign up for our Sunday Spectator. Delivered to your inbox every Sunday, with all the news from the week.
