If your kid, grandkid, niece, or nephew is in school, there's a very good chance their information is part of this one.

Canvas, the system most colleges and a lot of K-12 schools use to assign homework, post grades, and message teachers, was breached over the first week of May.

Eighty-eight hundred schools. Two hundred and seventy-five million records.

Right in the middle of finals.

What "got hacked" actually means here

This wasn't somebody guessing a password and getting into one student's account. The company that runs Canvas, Instructure , had its systems broken into, and a group calling itself ShinyHunters walked out with a copy of the data.

According to Instructure, what was taken includes:

• Names
• Email addresses
• Student ID numbers
• Private messages between students and teachers

What they say wasn't taken: passwords, dates of birth, government IDs, financial information.

That last bit is worth holding onto, but with one caveat: in breaches like this one, the initial list of "what got out" usually grows over the following weeks as the investigation continues. So the answer for now is probably limited to the four items above — and the prudent move is to act as though more might come out later.

Why this one matters more than most breaches

A few reasons.

It's enormous. 275 million records is roughly the entire adult population of the United States, and it's concentrated in students, including minors.

The private messages are unusual. Most breaches leak the database. This one leaked the conversations - what kids wrote to their teachers, what teachers wrote back, the side chats during a hard semester. That kind of data is exactly what social engineers use to build a convincing scam later.

And the timing was deliberate. The login page was replaced with a ransom message during finals week, when schools had the least leverage to refuse.

On May 11, Instructure announced they'd reached an agreement with the hackers and the data had been "destroyed." Whether you find that reassuring is a separate question. Once data is copied, you can't really un-copy it. You can only take their word for it.

What this means for your family

The dangerous part isn't the data itself. It's what scammers do with it.

Expect, over the next several months, an uptick in:

Emails that know your student's name and school. "We noticed unusual activity on your Canvas account, please click here to verify." The fake login page will look real because the scammer already knows the school and the email address.

Text messages from "the school." Same idea - a request to confirm something, with just enough real detail to feel legitimate.

Phone calls that reference a real teacher or class. This is where the private message leak hurts. A scammer who's read a few teacher-student exchanges can sound very convincing.

Nothing here is unique to Canvas. It's the same pattern after every big breach. But the volume of cover-story material this one gave away makes the impersonations easier to pull off.

What to actually do

You don't need to panic. You do need to do four things.

1. Change the Canvas password for any account in your family. Even though Instructure says passwords weren't taken, change them. It's a five-minute job and it closes a door regardless of what was or wasn't leaked.

2. Turn on two-factor authentication if Canvas offers it. Most schools have the option. If you don't know how, the school's IT page almost certainly has a one-page guide.

3. Don't click links in any email or text that claims to be from Canvas or the school. Open a browser. Type the school's address yourself. Log in that way. This is the single most important habit for the next few months.

4. Have a 30-second talk with your student. Specifically: "If you get a message from a teacher asking you to click something or confirm something, screenshot it and show me first. We'll figure out together whether it's real."

That last one is the one that matters most. The scams that work on adults work even better on tired, distracted teenagers in the last week of school.

The bigger pattern

Yesterday's post was about AI voice cloning — scammers using your daughter's voice to ask for money.

Today's is about a breach that hands scammers everything they need to make those impersonations convincing - names, schools, the language a real teacher uses with a real student.

These aren't separate problems. They're the same problem, getting easier for the bad guys every quarter.

The piece that doesn't change is how you verify. We'll get to that on Thursday, and the printable family version goes out in Friday's newsletter.

Subscribe to the PCRescue weekly →

If you want help locking down your family's accounts before the scam emails start arriving, or you're already getting strange messages and want a second opinion, that's exactly the kind of thing I do.

Request a callback → | Schedule a remote session →