Matt on NBC 10 | Canvas LMS Hacked: What Schools Must Do Now | SEVN-X

When the largest learning management system on the planet went dark in the middle of finals week, you didn't get the luxury of a slow, measured response. You got questions from parents, from students, from the superintendent, and from your board. And you had about ten minutes to start answering them.

That's exactly where thousands of schools and universities found themselves last week when Canvas, the online learning platform behind tens of millions of students worldwide, was hit by a cyberattack. SEVN-X CEO Matt Barnett joined NBC10 Philadelphia's Matt DeLucia to break down what happened and to push back on the way the story is being told.

The Canvas hack isn't an outage story. It's a third-party platform risk story, a student data privacy story, and a hard reminder that centralized education technology has quietly become a single point of failure for American schools.

What Happened With the Canvas Breach

The hacking group ShinyHunters (the same crew tied to the 2024 Ticketmaster breach) has been linked in multiple reports to the compromise of Instructure, the company behind Canvas. Instructure says it moved to contain the incident and notified law enforcement. By the morning of May 8, ransom notes were appearing on Canvas login pages at K-12 districts and major universities across the country, including Penn State, the University of Pennsylvania, Princeton, Harvard, Columbia, and Georgetown.

According to Instructure, the data accessed by the attackers included names, email addresses, student ID numbers, and messages exchanged inside the platform. The company says it has found no evidence that passwords, dates of birth, government IDs, or financial information were involved.

The hackers themselves are claiming a much larger haul—public reporting around the incident references claims of roughly 275 million records and thousands of affected institutions worldwide. The exact scope depends on the source and what has been independently verified.

It's Still Plenty Useful to Criminals

The instinct after a breach is to scan the list of compromised fields, breathe a sigh of relief if Social Security numbers and credit cards aren't on it, and move on. On NBC10, Matt pushed back hard on that reflex.

Even without financial data or government IDs in the mix, the information that was exposed (e.g. names, school email addresses, student ID numbers, and private in-platform messages) is more than enough to fuel a wave of phishing, impersonation, and highly targeted scams against students, staff, and institutions. Attackers now have the raw material to write a convincing email "from" a real professor, to a real student, referencing a real assignment, using a real school email format. That's a phishing campaign with a much higher hit rate than anything mass-mailed.

The follow-on attacks are the second blast and historically, they cause more damage than the original breach.

Why This Is a Third-Party Risk Story, Not an Outage Story

Here's the part most coverage is missing. The headline-friendly version of this story is "Canvas went down during finals." The version that actually matters to school leaders is this:

A single vendor decision, made years ago by hundreds of separate institutions, became a coordinated national failure in a single afternoon.

Penn State did not get hacked. The University of Pennsylvania did not get hacked. Your K-12 district almost certainly did not get hacked. Their shared vendor got hacked, and every institution that relied on that vendor inherited the consequences simultaneously.

This is what modern third-party risk actually looks like. It is no longer a procurement checklist exercise. It is a shared blast radius, and in education, that radius is enormous because the sector consolidated around a handful of dominant platforms.

You don't have to leave Canvas (and most schools won't, and shouldn't). But you do have to plan for the day it isn't there.

What Schools and IT Teams Should Do This Week

If you're a CISO, IT director, or technology coordinator at a school district or university, here's the short list. None of it is glamorous. All of it matters.

1. Assume credentials and inboxes are now targets. Even if Instructure says passwords weren't taken, the names, IDs, and messages that were taken are gold for phishing. Force a Canvas password reset for every account and require MFA on all staff accounts at a minimum.
2. Lock down the SSO connection between Canvas and your identity provider. If Canvas federated with Google Workspace, Microsoft Entra, or Okta in your environment, review the trust relationship, rotate any SAML/OIDC secrets, and audit recent sign-in logs for anomalies.
3. Brief your help desk and faculty before the phishing wave hits. The next 30–60 days will bring fake "Canvas password reset" emails, fake "your assignment was flagged" notices, and fake calls to faculty using real student ID numbers as proof of legitimacy. Your help desk needs scripted responses and a fast escalation path.
4. Run a tabletop exercise...for real this time. Not a 30-minute walkthrough. A real exercise where someone has to call legal, someone has to call the cyber insurer, and someone has to draft a parent communication while the clock is ticking. If you've never done one, SEVN-X runs them for exactly this scenario.
5. Treat "vendor breach" as a first-class branch of your IR plan. Parents and students won't email Instructure, they'll email you. Your incident response plan needs a clear third-party breach playbook, and your communications templates should already exist before the next one happens.
6. Inventory your single points of failure. Canvas was today. Tomorrow it's your SIS, your assessment vendor, your cafeteria payment system, your bus routing platform. Map the dependencies before you have to discover them under pressure.

What Parents and Students Should Do

For families, the playbook is simpler but the urgency is real.

• Change your Canvas password, and change it on any other site where you reused it. If you've ever used the same password twice, today is the day to fix that. A password manager makes this painless.
• Turn on multi-factor authentication on every account that offers it (e.g. email, social, banking, school portals). This is the single highest-impact thing you can do this week.
• Expect phishing, and slow down before you click. If you get an email claiming to be from your school, Canvas, a professor, or a financial aid office asking you to log in, reset a password, or "verify your identity," don't click. Open a new browser tab and navigate to the site directly.
• Watch for official updates from your school and from Instructure. Ignore anyone who contacts you out of the blue claiming to have your data. The FBI has been explicit that opportunistic messages like that are common after high-profile breaches and are often unverifiable.

The Bigger Lesson

K-12 and higher ed sit on a goldmine of sensitive data and they're funded to defend it like a coffee shop. 65% of K-12 technology leaders say their biggest barriers to better cybersecurity are insufficient staff and no dedicated budget. ShinyHunters knows that. So does the next group behind them.

The fix isn't a magic tool. It's the unglamorous work: a written incident response plan you've actually practiced, MFA everywhere, vendor risk reviews that go beyond a SOC 2 PDF, segmented identity systems, and a real relationship with an outside team you can call when the floor is on fire.

That's the part schools rarely talk about until it's too late. It's also the part SEVN-X has spent years helping education, healthcare, finance, and tech organizations get right.

"So generally when you have a breach like this you are going to rely on the IT & administration to come in and save the day " 

— Matt Barnett, CEO of SEVN-X, on NBC10 Philadelphia

Under Attack, or Want to Make Sure You Won't Be?

SEVN-X helps schools, universities, and the businesses that serve them prepare for incidents like the Canvas breach before they happen and respond decisively when they do.

• Incident Response — call us first, we'll calm the chaos.
• Ransomware Readiness — find the gaps before someone else does.
• Tabletop Exercises — practice the worst day before it shows up.
• Framework Assessments — measure where you actually stand against NIST CSF 2.0 and other standards.
• vCISO & Advisory — strategic security leadership without the full-time hire.

Under attack right now? Call our breach line: +1 484 989 0911 or meet with an expert.

Matt Barnett is the founder and CEO of SEVN-X, a boutique cybersecurity firm headquartered in King of Prussia, PA. SEVN-X delivers offensive security, advisory, and incident response services to organizations across nine countries, staffed entirely by U.S.-based citizens. NBC10 Philadelphia has trusted SEVN-X for years to provide expert cybersecurity commentary to its viewers.