Get Started

The Vendor You Trusted: Why Schools and Education Platforms Are the Newest Frontier for Cyberattacks

Canvas, PowerSchool, Udemy: schools keep getting breached through the vendors they trust. Why third-party penetration testing is now a basic requirement.

Garrett Grimmett 16 min read
The Vendor You Trusted: Why Schools and Education Platforms Are the Newest Frontier for Cyberattacks

Finals week is supposed to be stressful for one reason.

Students at Harvard, Princeton, Columbia, Georgetown, and Rutgers logged into Canvas on the morning of May 7, 2026, expecting to submit papers, check grades, and access study materials. What they found instead was a ransom note. The login page had been replaced by a message from a hacking group called ShinyHunters, claiming it had breached the platform’s parent company, Instructure, for the second time in a week. Billions of private messages exchanged between students and teachers. Student ID numbers. Names, email addresses, and records tied to an estimated 275 million users across more than 8,000 institutions in the United States, the United Kingdom, Canada, Australia, and beyond. The attackers set a deadline: pay, or the data goes public.

Professors scrambled to send assignments through personal email. University IT departments issued statements ranging from cautious to alarmed. Entire school districts in California, Florida, Georgia, Texas, Wisconsin, and more than a half dozen other states shut Canvas access down entirely until the situation became clearer. The University of Iowa’s director of information technology described it publicly as a national-level cybersecurity incident. Virginia Tech acknowledged the timing could not have been worse, with final exams and end-of-semester work hanging in the balance.

And none of the schools had done anything wrong.

That is the detail that makes the Canvas breach different from most of the cybersecurity stories that make headlines. No phishing email tricked a staff member at Harvard. No misconfigured server at Princeton handed over credentials. The institutions that were disrupted, embarrassed, and left scrambling during one of the most critical weeks of the academic calendar had trusted a vendor. That vendor’s systems were compromised through a vulnerability in its own Free-for-Teacher account environment. The schools were downstream of a decision they had no control over.

The breach was not their fault. The exposure was.

A Pattern the Education Sector Can No Longer Ignore

The Canvas attack did not arrive without warning. The education sector has been one of the most consistently targeted industries in cybersecurity for years, and the attacks have been accelerating in both scale and sophistication.

According to Comparitech, ransomware gangs claimed 251 attacks on educational institutions worldwide in 2025, with 3.96 million records confirmed breached across those incidents, a 27 percent increase over the previous year. The United States bore the heaviest share of those attacks, accounting for 130 of the 251 incidents. And according to a March report from the nonprofit Center for Internet Security, 82 percent of K-12 schools in the United States experienced a cyber incident between July 2023 and December 2024. That is not a niche problem. That is an industry-wide condition.

The education sector is, in the plain language of attackers, a soft target. Schools and universities hold enormous volumes of sensitive data: Social Security numbers, medical records, financial aid information, academic histories, and contact details for minors. They operate under tight budgets with limited dedicated security staff. They rely heavily on third-party technology vendors for nearly every function, from learning management to student records to payment processing. And they operate in an environment where a single compromised platform can cascade into disruptions at thousands of institutions simultaneously.

That last factor is worth pausing on. Because it is not just the schools themselves that are being attacked. It is the vendors the schools depend on. And that is where penetration testing becomes not a luxury but a fundamental operating requirement.

Canvas and the Cost of Implicit Trust

To understand what happened to Canvas, it helps to understand what Canvas is. Instructure’s platform is the most widely adopted learning management system in North American higher education, used by 41 percent of institutions across the United States and by many K-12 districts as well. In 2026, it served approximately 30 million active participants across more than 8,000 educational institutions worldwide. Assignments, quizzes, grading, instructor-to-student communication, course materials, and more all flow through a single platform that every student and faculty member uses every day.

The breach began on May 1, 2026, when Instructure disclosed an initial cybersecurity incident involving a criminal threat actor. The company stated the situation had been contained within a day, and that certain user data including names, email addresses, and student ID numbers had been accessed. ShinyHunters publicly claimed on May 3 that it had breached 275 million individuals’ records and had access to several billion private messages, and gave Instructure until May 6 to respond. The company did not.

On May 7, students trying to log in found the ransom note instead of their dashboards. ShinyHunters claimed it had breached Instructure again and specifically noted the company had responded to the first attack by ignoring contact attempts and applying security patches that were apparently insufficient. According to cybersecurity firm Emsisoft’s threat analyst Luke Connolly, the attack was carried out by exploiting vulnerabilities in Instructure’s Free-for-Teacher account environment.

By May 11, Instructure issued an apology for what it acknowledged was a lack of transparency. The company stated it had reached an agreement with the attackers and claimed the compromised data had been destroyed. Whether that claim is verifiable is a separate question. On May 13, a proposed class action lawsuit was filed in San Diego Federal Court on behalf of affected students whose personally identifiable information had been exposed.

The breach is now considered the largest educational security breach on record by global scale. More than 8,800 universities, educational ministries, and institutions worldwide were affected. For institutions in the middle of finals week, the disruption was not abstract. It was canceled submissions, rescheduled exams, and students left without access to materials they had been working toward all semester.

What makes this especially instructive is the attack vector. ShinyHunters did not breach Harvard. They breached the platform Harvard trusted. The institutions had conducted due diligence by selecting an industry-leading vendor with broad adoption and an established reputation. What they had not done, and could not have done without a vendor security testing requirement, was verify that the vendor’s own systems had been tested for exactly the kind of vulnerability that was exploited. Implicit trust in a vendor’s reputation is not the same as validated security.

Udemy: When the Learning Platform Becomes the Threat

Three weeks before the Canvas breach made national headlines, a quieter attack hit a different corner of the education technology space.

On April 24, 2026, ShinyHunters added Udemy to its dark web leak site with a straightforward message: over 1.4 million records containing personally identifiable information and internal corporate data had been compromised. The group gave Udemy until April 27 to respond. When no agreement was reached, the data was released. Have I Been Pwned, the widely used data breach notification service, confirmed the dataset by adding 1.4 million unique email addresses from the dump and verified that the stolen records included names, physical addresses, phone numbers, employer information, and instructor payout methods including PayPal credentials, check details, and bank transfer information.

The timing of the Udemy breach carries a dimension that extends well beyond the platform itself. Udemy is not just a consumer learning site. It is one of the most widely deployed corporate learning and development platforms in the world. Thousands of companies purchase Udemy Business licenses so their employees can access training on cybersecurity, technology, and professional skills. Those employees enroll using their work email addresses. Their employer information, job functions, and learning histories are tied to corporate accounts. A meaningful share of the 1.4 million records now circulating in attacker networks are linked to verified professional email addresses and organizational affiliations.

The practical consequence is a downstream phishing risk that reaches far beyond Udemy’s own user base. Attackers who possess this dataset can craft emails that reference accurate account details, known course enrollments, and legitimate-looking invoice or security notifications. Those messages will arrive at corporate inboxes where recipients have no reason to be suspicious of a platform they actively use. The Udemy breach is, from an attacker’s perspective, not just a data theft. It is a targeting file for the next campaign.

It is also worth noting the context in which this attack occurred. Udemy had recently agreed to merge with Coursera, creating a larger combined company in the e-learning market. Transitions of this kind, involving system integrations, shifting access controls, and organizational restructuring, are exactly the moments when security testing tends to fall behind operational priorities. The attack likely did not involve breaking into Udemy’s core infrastructure through brute force. Security researchers noted the pattern was consistent with credential-based or identity access exploitation, where attackers gain entry using legitimate credentials obtained through earlier breaches or phishing rather than by defeating technical defenses directly.

Neither the Canvas breach nor the Udemy breach required the attacker to overcome a hardened perimeter. In both cases, the entry point was something that had either never been tested from an adversarial perspective or had been tested and the findings not fully addressed. That distinction matters enormously when thinking about what preventive measures actually help.

The Vendor Problem: Where Schools Are Most Exposed

Canvas and Udemy are two examples of a pattern that Comparitech’s head of data research, Rebecca Moody, described plainly in her analysis of 2025 education breaches: the big distinguishing factor was third-party attacks. Schools not only have to worry about their own systems. They have to worry about every system they are connected to.

The PowerSchool breach that unfolded in December 2024 illustrated this with particular force. PowerSchool serves approximately 75 percent of the K-12 education market in North America, providing student information systems to more than 18,000 schools and 6,500 districts globally. A hacker gained access through a compromised credential on PowerSchool’s customer support portal, PowerSource, which did not require multi-factor authentication at the time of the incident. Nine days passed before the intrusion was detected. By then, personal data belonging to an estimated 62 million students and 9.5 million educators had been exfiltrated. The stolen records included Social Security numbers, medical histories, disciplinary records, and academic data. The Toronto District School Board alone reported that data stretching back 40 years and covering 1.5 million students had been accessed.

The attack on PowerSchool was not carried out by a sophisticated nation-state actor. According to the Department of Justice, the perpetrator was a 19-year-old college student in Massachusetts who was charged, convicted, and sentenced to four years in federal prison. He gained access using a single stolen credential on a portal that had no multi-factor authentication. He remained inside the system for nine days without triggering detection.

A penetration test of that portal would have identified the absence of MFA as a critical finding in the first hour of assessment. The question of why it was not found through a test before a teenager found it through an attack is not rhetorical. It is the central question every school administrator and ed tech vendor should be sitting with.

The vendor dependency problem in education is structural. Schools do not just use one or two external platforms. They use dozens, often without a comprehensive map of which vendors have access to which data, under what conditions, and with what security controls in place. In education, the list includes learning management systems, student information systems, assessment platforms, identity providers, communication tools, payment processors, and the administrative software that ties them together. Each of these relationships represents a potential entry point that the school itself cannot directly test or control.

What institutions can do is require it. Vendor security assessments, contractual penetration testing requirements, and documented evidence of third-party security validation are increasingly standard in healthcare and financial services. The education sector is behind, and the breach record over the past 18 months shows what that gap costs.

What Penetration Testing Actually Finds in Education Environments

There is a common assumption in schools and universities that because a vendor is large and widely used, it has been thoroughly security-tested. The Canvas breach specifically challenges that assumption. Instructure serves 30 million active users at 8,000 institutions. Its Free-for-Teacher account environment, which was the apparent attack surface, had not been secured against the exploitation technique ShinyHunters used. Scale does not equal security.

In education environments, penetration testing consistently surfaces a specific set of vulnerabilities that compliance reviews and vendor questionnaires do not catch. Externally facing portals, like the PowerSource customer support portal that enabled the PowerSchool breach, frequently lack basic authentication controls that would be flagged immediately in an adversarial test. Internal network segmentation in school districts is often assumed rather than validated, meaning an attacker with access to one system can move laterally across networks housing student records, financial data, and operational infrastructure without meaningful barriers.

API security in ed tech platforms is another consistent area of weakness. Learning management systems, student information systems, and assessment platforms rely on APIs to connect front-end interfaces with backend data. Insufficient authentication on a single API endpoint can expose grade records, personally identifiable information, or communication histories to anyone who probes the surface systematically. Rate limiting on login interfaces is frequently absent, making credential stuffing attacks straightforward for any attacker with a list of previously breached email and password combinations.

Social engineering is where education environments are uniquely exposed. Schools have large, rotating populations of users who receive high volumes of communications from administrators, instructors, and IT departments. That volume creates cover for phishing campaigns that are difficult to distinguish from legitimate internal messages. Center for Internet Security research found that human-targeted attacks, specifically phishing and social engineering, were the primary attack vector for K-12 incidents between July 2023 and December 2024, exceeding other techniques by approximately 45 percent. Penetration testing that includes social engineering simulations, testing whether staff and faculty recognize and report suspicious communications, is not a theoretical exercise in this environment. It is a direct assessment of the school’s most frequently exploited vulnerability.

Perhaps most importantly, penetration testing evaluates vendor access. Many schools have never formally inventoried which vendors retain remote access to their systems, under what conditions, and with what authentication requirements. A tested environment maps those connections. An untested one discovers them when an attacker does.

The AI Layer Is Making Everything Harder

The attacks that hit Canvas and Udemy in spring 2026 were carried out by ShinyHunters, a group that has been linked to large-scale data theft and extortion campaigns across industries. According to Mandiant, a cyber-intelligence firm owned by Google, ShinyHunters uses sophisticated voice phishing, fake company-branded login pages, and credential harvesting from cloud-based platforms as standard operating procedure. The techniques are not new. What is new is the precision with which AI tools allow them to be executed at scale.

Education platforms are a particularly rich target for AI-assisted attacks because of the volume and specificity of the data they hold. A dataset of student and instructor records from a learning management system contains names, institutional affiliations, course histories, and communication patterns. An attacker with access to that data can generate highly personalized phishing messages that reference real course names, real instructor relationships, and real transaction histories in ways that are nearly indistinguishable from legitimate institutional communications. The Udemy breach, which exposed employer information and course enrollment data for 1.4 million users, handed attackers exactly the enriched dataset that AI-assisted phishing campaigns are built around.

Voice cloning and deepfake technology add another layer to this risk. School districts and universities communicate constantly with parents, students, and staff. A spoofed call from a voice that sounds like the superintendent, requesting urgent action on a wire transfer or credential verification, exploits the same trust that social engineering attacks have always relied on, but with a level of verisimilitude that was not technically achievable a few years ago. The FBI’s 2025 IC3 Annual Report documented more than 22,000 AI-related cybercrime complaints with associated losses exceeding $893 million, a figure that will grow as the tools become more accessible.

Testing against this class of threat requires adversarial simulation that mirrors actual attacker behavior, including AI-generated phishing campaigns, voice-cloned social engineering attempts, and realistic impersonation exercises targeting administrative and financial staff. Penetration testing that stops at the network perimeter does not evaluate these risks. The education sector’s threat landscape has expanded well beyond the firewall.

The Test You Have Not Run

Here is the honest framing of where most schools and education platforms stand today. They have selected vendors carefully. They have reviewed contracts. Many have completed questionnaires and collected certifications. Fast Track, the gambling industry CRM that was breached while serving over 100 casino clients in 2025, held a valid SOC 2 Type 2 certification at the time of the attack. PowerSchool was one of the most widely deployed and trusted platforms in K-12 education. Canvas served 41 percent of North American higher education institutions. Udemy was one of the largest corporate learning platforms in the world.

Documentation and certification describe what an organization intends to do. Penetration testing determines whether the intention holds under real attack conditions. Those are not the same measurement, and the breach record of the past 18 months demonstrates the cost of treating them as equivalent.

For schools and school districts, the practical starting point is vendor assessment. Knowing which vendors have access to student and staff data, requiring documentation of recent penetration testing results as a condition of contract renewal, and establishing a process for reviewing third-party security findings before they become third-party breach notifications is within reach for institutions of almost any size. It does not require a large security team or a sophisticated internal program. It requires asking vendors to prove their controls work, not just describe them.

For ed tech vendors, the question is more direct. Canvas served 30 million users. Its Free-for-Teacher environment, a peripheral account type, was the attack surface. How thoroughly had that environment been tested by someone whose job it was to find what an attacker would find? The breach was described as the largest educational security breach on record by global scale. The entry point was not exotic. It was a feature that had not been subjected to the same adversarial scrutiny as the core platform.

A penetration test is not a guarantee that nothing will ever go wrong. Nothing in security makes that guarantee. What it provides is an honest answer to the question that every institution and every vendor in the education space should be asking right now: if someone were looking for a way in, what would they find?

Sixty-two million students’ Social Security numbers. Billions of private messages between students and teachers. Fourteen hundred thousand instructor payout records and employer affiliations. The people whose data ended up in those breach files were not reckless. They were not negligent. They trusted platforms that had not answered that question thoroughly enough.

The students sitting in front of a ransom note instead of their finals dashboard did not choose their vendor. Their schools did. And somewhere upstream, the testing that might have changed the outcome was never done.

References

  1. Wikipedia. 2026 Canvas Security Incident. Instructure disclosed a cybersecurity incident on May 1, 2026 involving user data from its Canvas LMS platform. ShinyHunters claimed responsibility for a second breach on May 7, 2026. Approximately 8,809 institutions and 275 million users affected globally. Class action lawsuit filed May 13, 2026 in San Diego Federal Court.

  2. CNN. Canvas hack: What we know about apparent cyberattack that impacted thousands of schools. May 8, 2026. Reported student disruptions at Columbia University, Rutgers, Princeton, Kent State, Harvard, and Georgetown, and district shutdowns across more than a dozen states.

  3. Cybernews. ShinyHunters Claim Udemy Data Theft. April 27, 2026. ShinyHunters posted Udemy to its leak site on April 24, 2026, claiming 1.4 million records. Have I Been Pwned confirmed 1.4 million unique email addresses including names, addresses, phone numbers, employer information, and instructor payout methods.

  4. Help Net Security. ShinyHunters claims it stole 1.4 million records from Udemy. April 28, 2026. Confirmed dataset details including PayPal credentials, check details, and bank transfer information for instructors.

  5. TechCrunch. What PowerSchool won’t say about its data breach affecting millions of students. March 10, 2025. Confirmed breach of PowerSchool SIS via compromised credential on the PowerSource customer support portal, which lacked multi-factor authentication.

  6. Proskauer Privacy Law. The PowerSchool Breach: A Privacy Lesson on Third-Party Risk Exposure. 2025. Confirmed 62 million students and 9.5 million educators affected; root cause compromised credentials and absence of MFA on the PowerSource portal.

  7. Comparitech. Education Ransomware Roundup 2025. 251 ransomware attacks on educational institutions globally in 2025; 3.96 million records confirmed breached, a 27 percent increase over 2024; the United States accounted for 130 of 251 attacks.

  8. Center for Internet Security and K-12 Dive. 82 percent of U.S. K-12 schools experienced a cyber incident between July 2023 and December 2024; human-targeted attacks were the primary vector, exceeding other techniques by approximately 45 percent. Reported in K-12 Dive, July 2025.

  9. Federal Bureau of Investigation Internet Crime Complaint Center (IC3). 2025 Annual Report. AI-related cybercrime complaints: more than 22,000, with associated losses exceeding $893 million. ic3.gov

  10. Mandiant (Google). Reporting on ShinyHunters operational methods including sophisticated voice phishing, fake company-branded login pages, and credential harvesting from cloud-based platforms. Referenced in CNN reporting on the Canvas breach, May 2026.

More from the field

Related articles.

The Door You Forgot to Lock: Why Application Security Testing Is the Cheapest Insurance You're Skipping
June 11, 2026

The Door You Forgot to Lock: Why Application Security Testing Is the Cheapest Insurance You're Skipping

One in five breaches now starts with a software flaw. Why application security testing is the cheapest insurance most businesses are still skipping.

Read post →
All In on Risk: Why Gambling Establishments and Apps Can No Longer Afford to Skip Penetration Testing
June 9, 2026

All In on Risk: Why Gambling Establishments and Apps Can No Longer Afford to Skip Penetration Testing

MGM, Caesars, IGT, Wynn — two years of casino breaches that began with a phone call. Why penetration testing finds what compliance checklists miss.

Read post →
Phishing Attacks in 2026: The Real Cost of One Click and Why Empowerment Wins
June 5, 2026

Phishing Attacks in 2026: The Real Cost of One Click and Why Empowerment Wins

Phishing still triggers most breaches. Why human-led pentesting, training everyone, and empowerment over punishment build lasting defense in 2026.

Read post →
Next step

Want this kind of detail on your environment?

A 30-minute scoping call. You talk to the senior operator who would run the engagement. No slide deck.

  • No high-pressure follow-up
  • Scoping notes delivered within 24 hours
  • NDA available before the call
Book a scoping call Browse services