Cyberattacks on Education Sector Evolve: Identity Abuse and SaaS Exploitation Drive Surge in Breaches
Cyberattacks targeting educational institutions have shifted from opportunistic ransomware campaigns to sophisticated, identity-driven intrusions leveraging trusted platforms and valid credentials. Recent incidents linked to the threat group ShinyHunters including breaches at Udemy and Instructure (Canvas) highlight a growing trend: attackers no longer breach systems externally but instead operate within them, exploiting SaaS access, federated identities, and operational trust to evade detection.
Key Trends and Incidents
- Rising Threat Volume: Cyber incidents in the education sector surged 63% year-over-year, with 425 reported attacks between November 2024 and October 2025 up from 260 the prior year. Data breaches increased by 73%, while hacktivist activity rose 75% across 67 countries. The UK’s Cyber Security Breaches Survey 2025/2026 found that 98% of universities and 88% of further education colleges experienced a breach in the past 12 months, far exceeding the broader business average.
- Udemy Breach (2025): ShinyHunters compromised 1.4 million records, including PII, instructor payout data, and corporate details, after the company refused extortion demands. The leaked data was later indexed by Have I Been Pwned, amplifying downstream phishing and credential-stuffing risks.
- Canvas Breach (May 2026): The group exfiltrated 3.65TB of data tied to 275 million students, faculty, and staff across 9,000 schools worldwide. Attackers exploited "Free-for-Teacher" accounts to pivot into the SaaS platform, defacing 330 institution login portals including those of Harvard, Stanford, Columbia, and Rutgers and disrupting operations during critical academic periods.
Attack Vectors: Identity Debt and SaaS Abuse
- Identity Persistence as a Weakness: Educational institutions struggle with "identity debt" accumulated credentials from alumni, shared lab access, and temporary research accounts that persist beyond their intended use. Attackers exploit these valid but unmanaged identities to move laterally without triggering traditional security alerts.
- SaaS as the New Intrusion Layer: Once inside, attackers embed themselves in cloud platforms (Microsoft 365, Google Workspace, Canvas) rather than endpoints. Techniques include:
- OAuth abuse (e.g., granting Mail.Read or Files.Read.All permissions).
- Mailbox manipulation (forwarding rules, suppressed security alerts).
- API-driven access to reduce visibility.
- Federated Identity Risks: Cross-institution collaboration via federated systems expands the blast radius of a single compromised identity. The Canvas breach demonstrated how a vendor compromise could cascade into sector-wide disruption.
Operational Shifts in Extortion Tactics
- Ransomware’s Decline as a Primary Tool: While ransomware persists, groups like ShinyHunters now prioritize data theft, leak-site pressure, and public exposure over encryption. The Canvas attack coincided with finals season, maximizing reputational and operational damage.
- IT Impersonation and Social Engineering: Attackers pose as IT support staff to initiate MFA resets, password changes, or device registrations, exploiting operational trust rather than software vulnerabilities.
Broader Implications
The education sector’s open, collaborative model reliant on shared SaaS platforms, federated identities, and decentralized administration creates systemic vulnerabilities. As attackers refine their methods, the focus has shifted from preventing unauthorized access to detecting abuse of legitimate credentials and mitigating cross-institution propagation. The recent breaches underscore that vendor compromise now equals institutional compromise, with single intrusions capable of disrupting thousands of schools simultaneously.
Instructure cybersecurity rating report: https://www.rankiteo.com/company/instructure-inc-
Rutgers University cybersecurity rating report: https://www.rankiteo.com/company/rutgersu
Udemy cybersecurity rating report: https://www.rankiteo.com/company/udemy
Harvard University cybersecurity rating report: https://www.rankiteo.com/company/harvard-university
Columbia University cybersecurity rating report: https://www.rankiteo.com/company/columbia-university
"id": "INSRUTUDEHARCOL1782312004",
"linkid": "instructure-inc-, rutgersu, udemy, harvard-university, columbia-university",
"type": "Cyber Attack",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'customers_affected': '1.4 million records',
'industry': 'Education',
'name': 'Udemy',
'type': 'Educational Technology'},
{'customers_affected': '275 million students, faculty, '
'and staff across 9,000 schools '
'worldwide',
'industry': 'Education',
'name': 'Instructure (Canvas)',
'type': 'Learning Management System'},
{'industry': 'Higher Education',
'location': 'USA',
'name': 'Harvard',
'type': 'University'},
{'industry': 'Higher Education',
'location': 'USA',
'name': 'Stanford',
'type': 'University'},
{'industry': 'Higher Education',
'location': 'USA',
'name': 'Columbia',
'type': 'University'},
{'industry': 'Higher Education',
'location': 'USA',
'name': 'Rutgers',
'type': 'University'}],
'attack_vector': ['Valid Credentials',
'OAuth Abuse',
'Mailbox Manipulation',
'API-Driven Access',
'Federated Identity Exploitation',
'IT Impersonation',
'Social Engineering'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': ['1.4 million (Udemy)',
'3.65TB (Canvas)'],
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (PII, academic records, '
'operational data)',
'type_of_data_compromised': ['PII',
'Instructor Payout Data',
'Corporate Details',
'Student/Faculty/Staff Data']},
'description': 'Cyberattacks targeting educational institutions have shifted '
'from opportunistic ransomware campaigns to sophisticated, '
'identity-driven intrusions leveraging trusted platforms and '
'valid credentials. Recent incidents linked to the threat '
'group ShinyHunters, including breaches at Udemy and '
'Instructure (Canvas), highlight a growing trend where '
'attackers operate within systems, exploiting SaaS access, '
'federated identities, and operational trust to evade '
'detection.',
'impact': {'brand_reputation_impact': 'Defacement of 330 institution login '
'portals (e.g., Harvard, Stanford, '
'Columbia, Rutgers)',
'data_compromised': ['PII',
'Instructor Payout Data',
'Corporate Details',
'Student/Faculty/Staff Data'],
'identity_theft_risk': 'Downstream phishing and '
'credential-stuffing risks',
'operational_impact': 'Disruption during critical academic periods '
'(e.g., finals season)',
'systems_affected': ['Microsoft 365',
'Google Workspace',
'Canvas',
'Institution Login Portals']},
'initial_access_broker': {'entry_point': 'Free-for-Teacher accounts (Canvas), '
'Valid Credentials'},
'lessons_learned': "The education sector's open, collaborative model reliant "
'on shared SaaS platforms, federated identities, and '
'decentralized administration creates systemic '
'vulnerabilities. Attackers now focus on detecting abuse '
'of legitimate credentials and mitigating '
'cross-institution propagation. Vendor compromise now '
'equals institutional compromise, with single intrusions '
'capable of disrupting thousands of schools '
'simultaneously.',
'motivation': ['Data Theft',
'Extortion',
'Reputational Damage',
'Operational Disruption'],
'post_incident_analysis': {'root_causes': ['Identity Debt',
'Unmanaged Credentials',
'SaaS Abuse',
'Federated Identity Risks',
'Operational Trust Exploitation']},
'ransomware': {'data_exfiltration': True},
'references': [{'source': 'UK Cyber Security Breaches Survey 2025/2026'},
{'source': 'Have I Been Pwned'}],
'threat_actor': 'ShinyHunters',
'title': 'Cyberattacks on Education Sector: Identity Abuse and SaaS '
'Exploitation Drive Surge in Breaches',
'type': ['Data Breach', 'Identity Abuse', 'SaaS Exploitation'],
'vulnerability_exploited': ['Identity Debt',
'Unmanaged Credentials',
'Free-for-Teacher Accounts',
'Operational Trust']}