How to Fortify Your School’s Learning Management System Against Cyberattacks: Lessons from the Canvas Breach

By ✦ min read

Introduction

When ShinyHunters breached Instructure’s Canvas platform in early 2025, compromising 275 million records from 9,000 institutions, it sent shockwaves through the education sector. This attack—the second on Canvas within a year—exposed email addresses, usernames, enrollment data, and course names, leveraging a “free for teacher” account. With 82% of K-12 organizations reporting cybersecurity incidents and the rise of AI-powered threats, schools must act now. This guide translates the Canvas breach into actionable steps to protect your learning management system (LMS) and student data.

What You Need

• Administrator access to your LMS (e.g., Canvas, Blackboard, Schoology)
• Current list of all third-party integrations and vendor security policies
• Cybersecurity team or designated IT lead (consider a managed security service provider)
• Budget for tools: multifactor authentication (MFA), endpoint detection, encryption software
• Incident response template from frameworks like NIST or CISA
• Staff training materials on phishing and data handling
• Legal counsel familiar with FERPA, COPPA, and state breach notification laws

Step 1: Understand the Attack Vector—Free & Unmonitored Accounts

The Canvas breach started with a “free for teacher” account that lacked strong controls. Hackers exploited these accounts’ permissive access to exfiltrate data. Step 1: Audit all accounts in your LMS, especially those with elevated privileges or no cost. Identify every free-tier, trial, or “guest teacher” account. Disable any that aren’t actively used. For remaining accounts, enforce the same security standards as paid ones. Consider removing the ability to create free accounts altogether—use a role-based access system instead.

Step 2: Evaluate Your LMS Vendor’s Security Posture

Canvas’s parent company, Instructure, failed to protect its free accounts, leading to a record 275 million stolen records. Step 2: Request your vendor’s latest SOC 2 Type II report, penetration testing results, and detailed incident response plan. Ask specific questions: How are “free” accounts isolated? What authentication methods are enforced? Have they experienced breaches in the past 12 months? (Canvas had two.) Use this information to negotiate contractual security guarantees—for example, requiring MFA on all accounts and 24-hour breach notification.

Step 3: Limit the Data Stored in Your LMS

The stolen Canvas data included emails, usernames, enrollment details, and course names—enough for identity theft or targeted phishing. Step 3: Minimize personal identifiable information (PII) in your LMS. Remove Social Security numbers, birth dates, and full addresses. Use pseudonyms or internal IDs instead of real names where possible. Periodically review course materials for inadvertently uploaded sensitive files (e.g., employee reviews). Create a data retention policy that purges old courses after a set period (e.g., 3 semesters) to reduce the blast radius of any breach.

Step 4: Enforce Multifactor Authentication (MFA) for All Users

Even if a free teacher account password is compromised, MFA blocks the attacker’s access. Step 4: Enable MFA for every user role—students, teachers, administrators. Use push notification, time-based one-time passwords (TOTP), or hardware tokens. For students under 13, obtain parental consent or implement as a “strongly recommended” option. Require MFA for any account that can view or export class rosters. After implementation, run a pilot with a small group to work out usability issues, then roll out campus-wide with training.

Step 5: Develop an Incident Response Plan Tailored to LMS Breaches

ShinyHunters set a Tuesday deadline for schools to “negotiate,” forcing frantic responses. Step 5: Create a specific playbook for LMS breaches. Define roles: who contacts the vendor? Who informs law enforcement (e.g., FBI’s Cyber Division)? Who drafts parent alerts? Include steps to isolate compromised accounts, preserve logs, and engage legal counsel regarding FERPA notification. Use tabletop exercises quarterly—simulate a ShinyHunters-style attack. Pre-draft communication templates so you can respond within hours, not days.

Step 6: Educate Staff and Students on Cyber Hygiene

80% of breaches involve human error, and free teacher accounts are especially vulnerable. Step 6: Conduct mandatory training on password hygiene, phishing recognition, and the dangers of sharing credentials. Use real examples from the Canvas breach: show how hackers gained access through a free account. For teachers, emphasize that free accounts are not exempt from security protocols. For students, teach them to recognize fake login pages that harvest credentials. Repeat training annually and after any major incident.

Step 7: Monitor Continuously and Respond to AI-Enhanced Threats

AI is making attacks more sophisticated—as experts warned after the Canvas incident. Step 7: Implement 24/7 monitoring of LMS logs for unusual behavior: repeated login failures, access from unfamiliar IPs, bulk data downloads, or sudden permission changes. Use a Security Information and Event Management (SIEM) tool if budget allows. If a free account suddenly enrolls in hundreds of courses, flag it. See Tips below for AI-specific defenses.

Tips for Ongoing Protection

1. Conduct regular vulnerability scans on all systems that connect to your LMS—including APIs and single sign-on (SSO) portals.
2. Negotiate “right to audit” clauses in vendor contracts so you can verify security practices firsthand.
3. Use AI as a defender, not just an attacker. Deploy machine-learning tools that detect anomalous data access patterns—like a user suddenly downloading 1,000 student records.
4. Participate in threat-sharing communities such as the K12 Security Information Exchange (K12 SIX) or MS-ISAC to alert peers about new exploits.
5. Back up your LMS data nightly and store backups offline. Ransomware often hits education, and clean backups are your lifeline.
6. Review your cyber insurance policy to ensure LMS-specific incidents are covered. Many policies now require MFA and vendor risk assessments.
7. Test your plan annually with a full-scale drill involving IT, administrators, teachers, and PR staff. Time your response—aim to contain a breach within 1 hour.

By following these steps, you can harden your LMS against the next ShinyHunters—and protect the students, teachers, and families who rely on digital learning.