A cybersecurity attack on the nation’s most widely used classroom software has potentially exposed the personal data of millions of students and educators.
INDIANAPOLIS — Several Indiana schools were impacted Thursday by a breach of the nation’s most widely used classroom software.
Instructure, the company that runs the Canvas learning management system used by more than 7,000 universities, K-12 districts and education ministries worldwide, disclosed the breach to affected institutions this week. The company confirmed names, email addresses, student ID numbers and private messages between users had been accessed before the breach was contained.
Students at Indiana University and Ivy Tech Community College told 13News the schools were impacted by the breach. Ivy Tech sent a message letting students and staff know it “was not a breach of Ivy Tech’s internal systems or networks,” but that the school was affected.
Instructure stated that the affected data might have included full names, email addresses, student ID numbers and messages, but that there is no evidence passwords, dates of birth, government identifiers or financial information were exposed.
IU administrators advised students and faculty to avoid logging into Canvas with their university credentials out of an abundance of caution.
A spokesperson for Purdue University shared the following statement with 13News Thursday evening.
“After an initial assessment, the nationwide Canvas cyberattack appears to have minimal impact on Purdue University and Purdue Global, as Canvas is not our main learning management system. We are still working on a review to ensure we properly identify any potential points of exposure.”
The criminal extortion group ShinyHunters claimed responsibility for the attack, alleging it had stolen more than 3.65 terabytes of data, including around 275 million records tied to students, teachers and staff, and shared a list of 8,809 school districts, universities and online education platforms it claims were affected.
The group posted a ransom message on Canvas, giving Instructure and affected schools until May 12, 2026 to “negotiate a settlement” to prevent the release of their data, “before everything is leaked.”
Notably, this is Instructure’s second confirmed breach in approximately eight months. In September 2025, the same ShinyHunters group exploited a social engineering attack against the company’s Salesforce environment.
Officials across the country are advising students, parents and staff to be cautious of unsolicited emails or messages that appear to come from Canvas, particularly those requesting personal information or password resets. Monitoring accounts for unusual activity is also encouraged.
