Dissent Doe 
Homeland Security wants to know about the Instructure breach; we still want to know about the Navigate360 breach:
#databreach #edtech #edusec #ShinyHunters #Instructure #Canvas #HouseCommitteeonHomelandSecurity
Doug LevinInstructure has posted an FAQ about the ongoing Canvas LMS cyber incident https://www.instructure.com/incident_update #edtech #canvas #instructure #edusec
I'm not sure I understand why people are trying to research what schools use Canvas. ShinyHunters provided a list of all of the schools that were caught up in this attack:
https://databreaches.net/wp-content/uploads/Claimed-Victims-of-Canvas-Cyber-Incident.txt That list has 8,809 entities listed.
It's not the entire universe of schools that use Canvas, but it's probably an accurate list of the schools that may be affected. A sample list ShinyHunters provided for my earlier report on this incident showed filesizes for: communication_channels.csv.gz, conversation_messages.csv.gz, conversations.csv.gz, and users.csv.gz. There were about 7,780 schools in that sample.
And yeah, hang on to your Tox because Session is closing in July, it seems.
#Instructure #Canvas #ShinyHunters #hackandleak #EduSec #databreach
OK, so it seems that #ShinyHunters breached #Instructure again and replaced login pages with their own message to schools about how to contact them directly.
The Canvas login page were replaced with the message in the screenshot below.
Canvas subsequently replaced the login with "under maintenance" pages.
Beginning circa 2010, I would call the NYS Comptroller's Office and the NYC Comptroller's Office to request audits of the NYC Department of Education's IT security, as the 2004 audit and re-audits identified major gaps and problems. My last post criticizing the absence of any current audit was published in 2023.
They actually were conducting an audit between 2020 - 2025 and the state has just released the public part of the audit report.
Read Chalkbeat's media coverage of the audit here: https://www.chalkbeat.org/newyork/2026/05/04/state-comptroller-audit-finds-student-data-privacy-gaps-in-nyc-schools/
Read the public part of the audit report here:
https://www.osc.ny.gov/files/state-agencies/audits/pdf/sga-2026-23n6.pdf
I've posted a few comments at
https://databreaches.net/2026/05/05/nyc-public-schools-lack-central-inventory-to-track-vendors-used-by-schools-nys-auditor/
#EduSec #NYCPS #audit #NYSComptroller #databreach #infosec #cybersecurity
State audit slams NYC schools for lack of student data privacy oversight
NYC schools don’t have a clear understanding of what student data they collect or who can access it, according to a state comptroller audit. It raises concerns as more third-party platforms — including AI tools — are introduced.
@funnymonkey Thanks for the kind words.
Someone commented on my Instructure post with a comment as "Sysadmin." They wrote:
"Are you effin kidding me! We got an Email from Instructure saying we were impacted and now we have to inform all the students and families in our district.
Why do these ShinyHunters keep attacking the edtech sector?? PowerSchool, infinite campus and now this.
It’s only a Sunday night and law enforcement has still done nothing about these hackers. Regulators really need to hold these companies accountable for poor security practices."
They raise valid points.
#edtech #EduSec #cybersecurity #vendor #supplychain #databreach #hackandleak
Another #EdTech vendor has allegedly fallen prey to #ShinyHunters in yet another Salesforce-related hack-and-leak incident.
Follett Software markets Aspen, Destiny, and Classroom Library Manager software to schools.
The threat actors claim to have acquired 4 million records with PII and other corporate files, and have given Follett until May 4 to contact them.
Because this is Salesforce related, there may actually be very little identifiable information about students or personnel in the customer support data, unless district or school personnel gave students' names or details in seeking help with the software or specific problems.
I guess we'll find out soon.
Tax documents for school employees potentially stolen across Los Angeles County:
At least two districts seem to have reported that employees discovered false tax returns had been filed, but the districts haven't been named, so DataBreaches started looking and may have identified one (then again, it may not be one of them!).
h/t, Los Angeles Daily News
#EduSec #databreach #IDtheft #TaxRefundFraud #cybersecurity #ransomware #Rhysida_Trojan
NYS school data incidents rose 72% in 2025, with 44 reported on Long Island:
https://www.newsday.com/long-island/education/school-data-incidents-nys-long-island-trw4ysk4
Includes comments by @douglevin
Several #EdTech folks asked me to review the #InfiniteCampus data dump by #ShinyHunters to see if any sensitive student data was leaked as part of it.
I wrote up what I found here: https://databreaches.net/2026/03/28/thankfully-the-infinite-campus-incident-did-not-involve-a-lot-of-non-directory-student-information/
One takeaway for school districts is to remind employees NOT to include student PII or PHI in support tickets to vendors. I've been told it is sometimes required or necessary, but then why weren't tickets like the ones I saw stored with encryption?
#databreach #EduSec #cybersecurity
@mkeierleber @douglevin @funnymonkey