By REBECCA RUTHERFORD
Los Alamos
For the Los Alamos Daily Post
If you or anyone in your family uses Canvas – the learning management system that powers online coursework at thousands of schools and universities – you are going to want to read this one carefully. What is Canvas? Canvas is a popular, cloud-based Learning Management System (LMS) by Instructure that allows educators to manage courses, post grades, and share materials, while students use it for assignments, quizzes, and communication.
Instructure, the Salt Lake City company behind Canvas, disclosed a data breach that began around April 30. The exposed data includes names, email addresses, student ID numbers, and messages exchanged among users.  Instructure says there is no evidence that passwords, dates of birth, government identifiers, or financial information were involved – as far as they know so far. What was taken is still enough to ruin someone’s day, week, or semester.
The extortion group known as ShinyHunters is claiming responsibility and says the breach is considerably larger than what Instructure has confirmed- ruh roh raggy! The group claims the stolen data includes PII (Personally Identifiable Information) tied to students, teachers, and staff, plus several billions of private messages exchanged by Canvas users – the kind of messages students send teachers asking for extensions, explaining personal circumstances, or discussing grades. ShinyHunters listed Instructure on its leak site on May 3rd, saying it was a final warning before the data would be leaked.  Their numbers may be inflated, but the breach is real and confirmed.
This is Instructure’s second confirmed breach in approximately eight months. In September 2025, the same group exploited a social engineering attack against the company’s Salesforce environment.  A second attack so soon after makes me wonder whether the first incident was properly contained, but it could be purely coincidental.
So why does this matter for phishing?
Here is where it gets tricky. Names, institutional email addresses, student ID numbers, and private message content are the raw ingredients for a spear phishing attack that could fool almost anyone. Imagine receiving an email that appears to come from your university’s financial aid office, addresses you by name, references your student ID, and mentions a conversation you actually had with a professor. That email does not need to break any technical barriers. It just needs to sound real – and with this data, it will.
Attackers can craft highly convincing scams that appear to come from a school administrator, teacher, or classmate.  Students are already conditioned to click on links from Canvas notifications about due dates, grade releases, and announcements. That conditioned behavior is exactly what a threat actor will exploit.
Not all of us are students, but many of us have family members – kids, partners, siblings – at universities that run Canvas. Our workplaces may have rigorous controls, but a compromised personal email account that bridges into professional life is a well-worn attack path.
Watch for any email that references a Canvas account, student ID, or internal messages and asks you to log in, verify your identity, or click a link. Go directly to your institution’s website rather than clicking anything in an email. If you are a student, talk to your university’s IT office about what protections are in place. And as always – if an email feels slightly off, trust that instinct. As Mulder always said, trust no one, especially not your email.
Editor’s note: Rebecca Rutherford works in information technology at Los Alamos National Laboratory.