JERSEY CITY, N.J. —
Hackers accessed names, emails, student IDs and private messages before breach was contained.
A cybersecurity attack on Canvas, the nation’s most widely used classroom software, has potentially exposed the personal data of millions of students and educators, including those in Hudson County. Instructure, the company behind the platform, disclosed the breach this week, confirming that names, email addresses, student ID numbers and private messages between users were accessed before the incident was contained. The criminal extortion group ShinyHunters claimed responsibility, alleging it stole 275 million records and threatening to release the data unless its demands are met.
Canvas is used by 41% of higher education institutions across North America and by numerous K-12 districts, including several in Hudson County. The breach raises serious privacy concerns for local students, teachers and staff whose sensitive communications may have been exposed.
Canvas was offline Thursday evening as the company placed the app in maintenance mode after users reported issues logging into student ePortfolios. By late Thursday, Instructure said most users should be able to access the app. The company stated that there is no evidence passwords, dates of birth, government identifiers or financial information were exposed.
“The sensitivity of Canvas messages compounds the concern. The platform is used by students to disclose medical and mental health information to academic advisers, to request accommodations and to communicate with Title IX advocates.” — Instructure statement
⚡ ShinyHunters claims to have stolen more than 3.65 terabytes of data and shared a list of 8,809 school districts, universities and online education platforms it says were affected. A ransom message on the platform gives Instructure until May 12 to respond and negotiate a settlement before the hackers leak information.
🔄 Instructure said it has engaged outside forensic cybersecurity experts and law enforcement. The investigation is ongoing, and the full scope of the breach has not yet been determined. Officials across the country, including in Hudson County, are advising students, parents and staff to be cautious of unsolicited emails or messages that appear to come from Canvas, particularly those requesting personal information or password resets. Monitoring accounts for unusual activity is also encouraged.
This is Instructure’s second confirmed breach in approximately eight months. In September 2025, the same ShinyHunters group exploited a social engineering attack against the company’s Salesforce environment. Hudson County residents with Canvas accounts are urged to remain vigilant and report any suspicious activity to their school or institution.
📎 Information from KIII-TV and Associated Press reports
📤 Distribution Copy
📘 Facebook:
🚨 BREAKING: A major cyberattack on the Canvas learning platform has exposed the personal data of millions of students and educators—including those right here in Hudson County. Hackers accessed names, emails, student IDs, and private messages. ShinyHunters claims 275 million records were stolen. Local officials urge everyone to monitor accounts and watch for phishing attempts. #CanvasHack #DataBreach #HudsonCounty #StudentSafety
💬 WhatsApp:
A cyberattack on the Canvas learning platform has exposed the personal data of millions of students and educators, including those in Hudson County. Hackers accessed names, emails, student IDs, and private messages. ShinyHunters claims 275 million records were stolen. Officials urge caution and account monitoring.