Back to Blog

Hackers Stole 275 Million Records This Week. None of the Victims Did Anything Wrong.

You run cloud software to handle payroll, accounting, or your client records. You have decent passwords. You have two-factor auth on most things. By any reasonable standard, you're doing what you're supposed to do.

Then your payroll software company gets hacked. Now your employee records, your customer contacts, your financial data, are sitting in some criminal's folder somewhere. You never had a chance to prevent it.

That is, more or less, what happened to thousands of universities this week.

Instructure, the company behind Canvas (the learning management platform used at more than 8,800 universities and institutions worldwide), confirmed a breach that started on May 1st.[1] The hacking group ShinyHunters claims to have stolen 3.65 terabytes of data, roughly 275 million records, including student names, email addresses, ID numbers, and private messages between students and instructors.[2] They handed Instructure an extortion deadline and went public when negotiations stalled.

The schools didn't get hacked. Instructure did. But the students' and faculty's data is what's now being held over everyone's heads.

This Is Not an Education Problem

Canvas is a school tool, but this same situation plays out across every industry. Your business almost certainly relies on some set of cloud services right now. Accounting software. A CRM to track clients. Project management. Payroll processing. Email through Google Workspace or Microsoft 365. Scheduling platforms. All of those vendors hold your data.

If any of them gets breached, through ransomware, a stolen credential, a misconfigured server, or even an insider, that data can be exposed without you making a single mistake on your end.

The security of your business isn't only determined by what you do. It's also shaped by the practices of every vendor you trust.

How ShinyHunters Got In (And Why It Keeps Working)

ShinyHunters has been behind some significant data theft campaigns over the past few years. This Canvas attack is actually the second time they've successfully hit Instructure in under a year.[3] They've also recently breached Cushman & Wakefield, the commercial real estate firm, pulling more than 500,000 records from a Salesforce instance.[4]

In the Canvas case, they found their way in through a Free-For-Teacher account program, a low-friction onboarding feature with weaker security controls that shared underlying infrastructure with the main platform. Once inside, broader institutional data was within reach. Attackers rarely go through the front door. They find the side entrance that nobody thought to lock.

What's unsettling isn't the sophistication. It's how routine this has become.

Four Things to Do Before Your Vendor Has a Problem

You can't realistically audit the security practices of every platform you subscribe to. But a few straightforward steps make a real difference.

1. Know where your data actually lives. Spend ten minutes listing the cloud tools your business uses and what category of data each one holds. Customer names and contact info. Employee records. Financial data. It's not a formal project, just knowing. If a vendor calls with bad news, this list tells you instantly what you're dealing with.
2. Share less than platforms ask for. SaaS tools often request more information than they strictly need during setup. If a tool doesn't need a customer's full address to do its job, don't put it in there. Less data in the system means less data at risk if something goes wrong.
3. Watch where breach notifications actually land. Vendors are required to notify customers when there's a breach. But if the email address on your account goes to an unmonitored inbox, that notification effectively never arrives. Make sure it reaches someone who can act on it quickly.
4. Check your cyber insurance for third-party breach coverage. Many policies now cover vendor-related incidents. Many don't. It's worth asking your broker specifically, because 88% of ransomware incidents involve small and mid-sized businesses,[5] and vendor compromises are a real driver of that number.

You can't fully control what your vendors do behind the scenes. But you can shrink what's exposed, and you can put yourself in a position to respond rather than scramble when something happens.

We help Pittsburgh-area businesses map out where their sensitive data lives across all the cloud tools they use, identify the biggest gaps, and put practical monitoring in place so incidents don't catch you completely off guard.