The CEO of Instructure, the company behind the widely used education tool Canvas, has issued a public apology following a significant data breach. Steve Daly acknowledged the disruption caused to schools and students, particularly during the end-of-year academic period.
The hacking group ShinyHunters claimed responsibility, stating they stole approximately 6.65 terabytes of data from roughly 9,000 schools worldwide. This information includes student names, email addresses, and private messages.
Daly confirmed the breach involved unauthorized access to usernames, email addresses, course names, and enrollment information. He emphasized that core learning data, such as course content, submissions, and credentials, were not compromised.
The vulnerability was traced to a support ticket system within Canvas's 'Free for Teacher' environment, which has now been temporarily disabled. Instructure is conducting a full security review.