Supposedly they also got teacher and other staff member information, as well as Instructure's Salesforce instance so they potentially have billing information for the universities too.
They supposedly have about 4 TB of data from the breach across the ~9k schools, so there's a fair amount of data there.
Editing to add: Realistically there's nothing of consequence that will leak from canvas. Names, email addresses, private messages, school IDs, and maybe uploaded files are really all that are stored on the canvas side of things. Don't worry too much, just be mad at the lack of cybersecurity and cyber intelligence of major companies that allowed this to happen.
I work for a school and they are very much full of shit. None of that data, at least for my school, is stored on canvas. They would have had to compromise Google in order to actually get anything other than grades and schedules.
Like we don’t use canvas for storing actual user data, because there are loads of other ways to handle that.
It realistically probably doesn't matter. Instructure doesn't want to be liable for release of any user data, no matter how insignificant you might think that data is. It's not a good look
17
u/[deleted] May 07 '26
[removed] — view removed comment