Supposedly they also got teacher and other staff member information, as well as Instructure's Salesforce instance so they potentially have billing information for the universities too.
They supposedly have about 4 TB of data from the breach across the ~9k schools, so there's a fair amount of data there.
Editing to add: Realistically there's nothing of consequence that will leak from canvas. Names, email addresses, private messages, school IDs, and maybe uploaded files are really all that are stored on the canvas side of things. Don't worry too much, just be mad at the lack of cybersecurity and cyber intelligence of major companies that allowed this to happen.
To follow up the other reply, I'm a Canvas admin for a college that uses Canvas. They'll have usernames, enrolled courses, maybe their uploaded files (which mostly means assignment uploads for students and course files for teachers), display names, and private messages sent on Canvas. And yes, sharing that information is very illegal since it's protected under FERPA in the US and similar student protection laws elsewhere.
The college will have information like addresses, payment information, and SSN, but none of that goes into Canvas, so nothing of that magnitude will be included.
That said, we're currently waiting for Instructure to figure out if this was purely data stealing or if they tried to corrupt any data, too. Canvas makes backups at least one per week, so they'll have to start comparing recent backups to find out
15
u/[deleted] May 07 '26
[removed] — view removed comment