Canvas got hit twice — what every district should ask their vendors
Today we lead with the Instructure Canvas breach: 275 million users, 8,809 institutions, and a free-tier architecture that became the backdoor. We unpack what happened, why it matters for K–12 districts, and the four questions every superintendent should be asking every ed-tech vendor right now.
Canvas got hit twice. Here's what every district should ask their vendors right now.
In May 2026, the hacking group ShinyHunters breached Instructure's Canvas learning management system. Not once — twice. They walked away with roughly 3.65 terabytes of data covering 275 million users across 8,809 institutions worldwide. Student names. School emails. Student ID numbers. Private messages between students and teachers.
Canvas runs the back end at 41% of North American higher-ed institutions and thousands of K-12 districts. If your district uses Canvas — even peripherally — you're in this number. Instructure paid the ransom. The attackers say the data is destroyed. The trust damage isn't.
We're not writing this to scare anyone. We're writing this because there's a clear lesson every superintendent, principal, IT director, and school board member should walk away with — and it's not about Canvas specifically. It's about how schools choose their tech vendors.
### How they got in
Instructure ran a program called "Free-For-Teacher." Any teacher — anywhere — could sign up without institutional verification. No district approval, no domain check, no vetting. That free tier ran on the same infrastructure as the paying customers. Same servers. Same database. Same physical machines.
ShinyHunters didn't break down the front door of any paying school district. They walked through the front door of Free-For-Teacher with a free account, and from inside the same shared infrastructure, pivoted into production data belonging to schools that paid Instructure to keep that data safe.
This is the multi-tenant SaaS model. Your data is sitting in the same room as every other customer's data, separated by a software wall. Sometimes those walls hold. Sometimes — like here — they don't.
Shared cloud tenancy
On-premise sovereignty
### What it means for your district
Three concrete things are about to land on superintendents' desks if they haven't already:
Spear-phishing. Attackers now have student emails, names, and which school they attend. The next 6–12 months will bring targeted phishing aimed at families — "Hi, this is Principal X from your son's school, can you click here to verify..." Train your staff and warn parents now.
FERPA exposure. Federal student-privacy law was likely violated. Your district's compliance officer should be on a call with legal counsel this week — not next month.
API integration cleanup. Most districts pipe Canvas data through ten or more other tools — gradebooks, attendance, parent apps. If Canvas leaked, anything downstream that authenticated against it may need credential rotation and audit.
### Four questions every district should be asking every vendor right now
It doesn't matter if it's Canvas, Google, Microsoft, Zoom, or the next ed-tech startup pitching at the school board meeting. Ask these:
1. Where does our student data physically live? Country, region, data center. If they can't answer in one sentence, that's the answer.
2. Is our data isolated, or shared infrastructure with other customers? "Multi-tenant" means shared. Ask what physically separates your district from the rest.
3. Do you have a free tier connected to our production environment? This is the Canvas-shaped question. If yes, that's a backdoor with your name on it.
4. Can we run this on our own hardware? On-premise is a real option. Vendors who say "no, never" are telling you something about their priorities.
### What Brown Forces builds for
We've been saying this for two years: when your data lives on someone else's cloud, behind a free-tier signup form, on shared infrastructure with strangers — you have given up control. Sovereignty isn't optional. It's the foundation.
Obsidian AI is the on-premise AI appliance we built for organizations that can't afford to lose control of their data. It runs in your building, on your hardware, behind your firewall. No multi-tenant anything. No free tier connected to your production. No shared infrastructure. The thing that just happened to Canvas can't happen to Obsidian, because the architecture doesn't allow it.
If you're a district administrator reading this and you want a thirty-minute conversation — no sales pitch, just "what are my real options" — reach out to me directly. Salvador Alvarez, founder. salvador@brownforces.io.
We didn't build Obsidian as a response to Canvas. We built it because we already saw this kind of breach coming. The Canvas event is the first big public proof, not the last.
Why this matters for us: A district in the Coachella Valley with 80% Latino students has the same data-sovereignty rights as a tech company in Palo Alto. When a vendor breach exposes our kids' names, IDs, and teacher messages, the harm doesn't fall evenly — our communities have less margin for the consequences. Sovereignty isn't just a security choice. It's an equity choice.
Google’s Android AI guesses what you’ll do next
Your phone’s starting to act like a cousin who knows your routine. Google’s new AI feature, called contextual suggestions, now pops up on Pixel 10 phones and predicts what you need before you ask. If you hit the gym every Tuesday at 6 p.m., it’ll auto-play your workout playlist. If you always grab coffee after dropping the kids off, it’ll suggest your usual spot — no tapping needed.
It’s not asking for permission. It’s watching: where you go, what apps you open, when you unlock your phone. The feature was testing in beta for months, and now it’s rolling out to everyone. No settings menu. No tutorial. Just quiet, useful nudges — like your tía leaving a note on the fridge.
No big fanfare from Google. No press release. Just a slow rollout, like they know we don’t need another app to manage our apps.
Why this matters for us: It saves time, data, and mental energy — without asking us to learn anything new.
Meta cuts 10% of staff — but no one’s celebrating
Meta’s profits are at a record high. The stock’s up. Mark Zuckerberg just bought a $1.2 billion island. But inside the company? Everyone’s unhappy.
More than a dozen current and former employees told WIRED the same thing: the hustle never stops, even as the layoffs hit. Teams are stretched thin. Managers push for AI-driven results while cutting heads. People work weekends just to keep their jobs.
One engineer said they’ve been on call for six months straight — no vacation, no break. A product lead quit after her team was shrunk to three people, expected to run three major products.
The AI push? It’s real. But instead of helping workers, it’s become the excuse to do more with less. The same tools meant to boost productivity are now tracking every click, every minute, every slack message.
Even the perks feel hollow. Free meals? Still there. But the vibe? Gone. People don’t gather in the cafeteria anymore. They eat at their desks, scrolling through LinkedIn, wondering who’s next.
Why this matters for us: When the company making the apps we all use starts eating its own, the hustle isn’t just for gig workers — it’s coming for everyone.
RAG: Como tu tía que siempre trae el libro extra
Imagina que tu tía te pide que le hagas una lista de recetas para el domingo. Tú sabes mucho de comida, pero no te acuerdas de la receta de sus tamales de hoja. Entonces, en vez de adivinar, sacas el libro de recetas que ella guardó en la cocina — el que tiene las anotaciones de sus hermanas, las manchas de salsa, y la página doblada donde dice ‘¡esto es lo que más le gusta a Mami!’
Eso es RAG: una IA que no solo usa lo que ya sabe, sino que busca en fuentes reales antes de responder. En vez de inventar datos, agarra lo más reciente, lo más confiable — como una abuela que revisa su agenda antes de decirte la hora exacta de la misa. La migra app usa RAG para entender tus papeles sin adivinar. Un médico lo usa para revisar tus historias clínicas antes de dar un diagnóstico. No confía solo en su memoria. Confía en lo escrito, en lo que ya pasó.
Cuando le preguntas a una IA algo importante — "¿Qué beneficios tengo en mi caso?" o "¿Cuándo vence mi visa?" — no te quedes con la primera respuesta. Pídele: "¿De dónde sacaste esa info?" Mira si te menciona un documento, una ley, un sitio oficial. Si no lo hace, pídele que busque mejor. Como tu tía con su libro. No dejes que te responda con lo que "siente" que es cierto. Pídele que revise el libro.
Your phone’s AI assistant might start choosing your apps — and charging you for it, without ever asking.
— 9to5mac.com
#apple-s-ai-agents-are-coming-and-they-might-charge-you-just-to-see-the-price-7350f5Kids don’t need more screens locked down — they need real space to grow online
Jules Polonetsky, CEO of the Future of Privacy Forum, says locking down kids’ screens with endless parental controls isn’t enough. It’s not just about blocking content or setting time limits. What kids need is room to learn, mess up, and connect — without being watched like…
TradeWork: Jobs, Crews, Payments — All in the Truck
You spend your morning at a job site, your afternoon in traffic, and your evening chasing payments. Your estimates live in Notes, invoices are PDFs sent via WhatsApp, and your crew checks in with text threads that disappear into oblivion. You don’t need another fancy CRM. You need something that works when your phone’s in your pocket and your hands are covered in drywall dust.
TradeWork is built for that. Painters, plumbers, electricians — enter jobs on your phone, assign crews, send invoices in Spanish or English, and get paid right there. No more chasing checks. No more lost texts. The foreman sees the same job card as the helper. The office gets paid without waiting for mail. Everything stays in one place — no switching apps, no printing, no guesswork.
Why this matters for us: When your tools work as hard as you do, you stop working twice.
https://tradework.work
Instagram ads are selling coke gear like it’s just lifestyle
You scroll past a sleek leather pouch with magnetic clasps. Next, a gold-plated straw with a tiny crystal on the end. Then a minimalist case that fits just right in your pocket. All tagged #cokeaccessories, #luxurycoke, #snortstyle. No mention of drugs. No warning labels.…
Windows ya va a reverter drivers rotos sin que tú hagas nada
Microsoft está arreglando Windows 11, y esta vez no te va a pedir que lo hagas todo tú. Pronto, si una actualización de driver te deja la computadora con pantalla azul o sin sonido, Windows la va a revertir sola. No más buscar en el Administrador de dispositivos, no más llamar al primo que entiende de tech. La nueva función se llama "Cloud-Initiated Driver Recovery" — y funciona como un retroceso automático: si el driver nuevo manda, Windows lo desinstala y vuelve al que sí funcionaba.
Hasta ahora, los usuarios tenían que detectar el problema, entrar a las opciones de actualización, y darle clic a "rollback". O esperar a que la marca de la tarjeta de video publique una nueva versión. Ahora, Microsoft lo hace desde la nube, sin que tú abras ni un menú.
No es magia. Es trabajo. Y viene justo cuando más lo necesitamos: cuando el trabajo, la escuela, la facturación, dependen de que la laptop no se caiga en medio de un reporte.
Why this matters for us: Tu computadora ya no va a fallar por un driver malo mientras tú estás en la reunión, en la línea del banco, o corriendo atrás de la migra app.
What if magic mushrooms quiet the voice that never stops doubting?
OCD isn’t just about washing hands or checking locks. It’s the voice in your head that whispers, "Did I lock it? Did I say the right thing? What if I messed up?" For years, people have tried meds, therapy, routines — but the doubt always comes back.
Now, some are turning to…
Google’s new AI laptop runs on Android — no Chromebook upgrade needed
Google’s new laptop platform, called Googlebook, runs on Android — not Chrome OS. It’s not meant to kill Chromebooks, but to offer something different: AI built in from day one. Think Magic Pointer, a feature that lets you tap on anything on screen and ask the laptop to explain, summarize, or act on it. Apps run natively, no more web-only limits. The idea? A machine that feels like a phone you can type on, but with desktop power. No fancy cloud tricks. No waiting for web apps to catch up. Just Android, smarter. It’s the cousin who skipped the upgrade cycle and built something that actually works for the hustle.
Why this matters for us: Your kid’s school laptop could soon be the same device that helps you track hours, send invoices, and find last week’s receipt — all without Wi-Fi or a tech degree.
Hantavirus is here. Here’s how it moves — and why it won’t sweep the country
A cruise ship outbreak got people talking, but hantavirus isn’t going to be the next big pandemic. It doesn’t spread from person to person. You catch it from rodent poop, pee, or saliva — mostly when you breathe in dust kicked up by infected mice or rats. The virus hangs…
Para la comunidad
Tech affecting the Hispanic community
The stories below land different for our gente — immigration tech, language access, the unbanked, kids of color, gig-worker rights.
Tu iPhone se roba, y luego empieza la fiesta de los hackers
Cuando te roban el iPhone, no es solo el dispositivo lo que pierdes. Los criminales usan herramientas de mercado negro para desbloquearlo, incluso si tiene contraseña o Face ID. Una vez dentro, ellos acceden a tus contactos, mensajes y cuentas bancarias vinculadas. Luego, envían phishing desde tu número: "Hola, soy yo. Necesito $500 urgente para la emergencia." Tu tía, tu primo, tu jefe — todos caen. Las apps de banca, incluso las más seguras, no saben que el mensaje viene de un iPhone robado, no de ti. No hay notificación, no alerta de "nuevo dispositivo". Solo el dinero que se va, y la confianza que se quiebra. La migra app no te salva. Tampoco el backup en iCloud. Lo que sí ayuda: desactivar iMessage y FaceTime desde otro dispositivo antes de que el ladrón lo haga. Y no confiar en ningún pedido de dinero que llegue por mensaje, aunque parezca de tu hermano. Why this matters for us: Tu teléfono no es solo tu agenda, es tu red de confianza — y si lo pierdes, todo el mundo que te conoce se vuelve blanco.
You don’t need to code to fix your app
For years, if you wanted to change how your software worked — whether it was for your clinic, your church’s sign-in sheet, or your cousin’s taco truck inventory — you had to beg a developer to do it. Or pay thousands. Or learn Python. Now, AI is letting la gente build their own tools. No degree. No middleman. Just talk to the app. Tell it what you need: "Make a form that tracks my abuela’s meds and texts me when she skips a dose." And it does. No more waiting. No more "that’s just how the software is." The people who use the tools are finally making them. This isn’t about fancy AI. It’s about power. Back to the people who show up every day. Why this matters for us: Your abuela’s medicine reminder, your tío’s delivery tracker, your kid’s homework log — now they’re yours to shape, not just to suffer.
AI is stealing small business jobs — and no one’s paying for it
Your cousin runs a local printing shop. Every week, she takes orders from Instagram, prints flyers, signs, and menus — all by hand. Now, a new AI tool lets customers design their own graphics, pick fonts, and download prints for $5. No human needed. No tip. No conversation. She’s not mad — she’s just tired.
Across the country, small businesses are getting squeezed. A bakery owner used to take custom cake orders over the phone. Now, customers upload photos to an AI app, pick flavors, and pay through PayPal. The baker’s hours drop. Her sister, who used to help with deliveries, got laid off.
These AI tools don’t charge a fee. They don’t pay taxes. They don’t hire local help. They just take the work — and the customers — and leave the hustle to the people who’ve been doing it for decades.
It’s not just freelancers. It’s the abuelo who fixed TVs in his garage. The tío who did home repairs on weekends. The auntie who knitted sweaters and sold them at the mercado. All of them now competing with algorithms that never sleep, never ask for a raise, and never need a meal break.
Why this matters for us: When AI eats small business work without paying its share, the hustle becomes harder — and the family economy starts to crack.
AI and fake respondents are messing with polls
Polls used to call your landline. Now they text, email, even drop voicemails from bots that sound like your tía. Courtney Kennedy at Pew says AI is flooding surveys with fake responses — robots pretending to be real people answering questions about voting, healthcare, and who they’ll support in November.
The problem? These bots don’t get tired. They don’t have kids to pick up from school or a double shift at the warehouse. They answer every survey, every time, fast and perfect — and they’re skewing the data.
Meanwhile, real people are dropping out. Older folks don’t answer unknown numbers. Younger folks ignore texts from "SurveyUSA." Those who do respond? Often the ones with time to spare — retirees, remote workers, people already tuned into politics. That’s not the whole comunidad. That’s just the quiet ones.
Kennedy says pollsters are scrambling. Some are adding voice verification. Others are hunting for patterns in how bots answer versus how humans do — like the way a real person pauses, or says "uhh" before picking a candidate.
But here’s the thing: if the polls don’t reflect the hustle, the overtime, the cousins who answer surveys while cooking dinner, then what we think the country wants? Might just be what the quietest corner of it says.
Why this matters for us: If the polls don’t hear the real people, elections won’t either.
Apple and Amazon are building AI agents that could cost you
Apple’s working on AI agents that’ll roam the App Store like digital cousins, offering deals, booking appointments, even buying stuff for you. Meanwhile, Amazon just killed its Rufus chatbot and rolled out a new Alexa shopping agent that’ll nudge you to buy more—right when you’re scrolling at 2 a.m.
These aren’t just assistants. They’re salespeople with no paychecks, no breaks, and no loyalty to you—only to the algorithms that trained them. They’ll remember your habits, your weak spots, your late-night snack cravings. And they’ll use it.
You’ll get a notification: "Tu mamá would’ve loved this." Then it buys it. No confirmation. No "Are you sure?"
The apps won’t tell you they’re AI. They’ll sound human. Friendly. Like that tío who always knows what you need before you do. Only this tío works 24/7, and his commission comes out of your wallet.
Why this matters for us: Your next impulse buy won’t be from an ad—it’ll be from a ghost in your phone, speaking your language, wearing your family’s face.
Google’s new AI tool spots fake IDs — but will it trap the undocumented?
Google rolled out a new AI tool that scans IDs like driver’s licenses and state IDs to catch fakes. It checks for subtle errors — mismatched fonts, wrong hologram patterns, invisible UV marks — things even sharp clerks might miss. The tool works fast: point your phone camera at an ID, and the AI says yes or no in seconds.
It’s already being used by banks, landlords, and gig platforms to verify workers. But for folks without paper trails — the cousin who cleans houses but doesn’t have a birth certificate, the auntie who works nights and never got a driver’s license — this could mean trouble. If the system only trusts IDs it recognizes, what happens when your ID is real but just… different?
The tech doesn’t ask why you don’t have a standard ID. It just says: not valid.
Why this matters for us: When AI decides who’s legit, the people who hustle hardest often get flagged first.
Google’s new reCAPTCHA is forcing users to install Play Services — even on cheap phones
Google’s reCAPTCHA just got heavier. Now, to prove you’re not a bot, you might need to install Google Play Services — even if you’re on a $50 phone bought from a corner store. No Play Services? No access. No checkout. No form submission.
For folks using older Android devices, especially in communities where data plans are tight and new phones are a luxury, this feels like a silent tax. You don’t upgrade. You don’t delete apps. You just get locked out — by a checkbox that won’t stop asking you to click on traffic lights and crosswalks.
It’s not just about security. It’s about control. Google’s move pushes users deeper into its ecosystem. No Play Store? No updates. No Play Services? No internet. And for many, that means no job applications, no banking apps, no vaccine records, no government forms.
This isn’t a glitch. It’s a design choice. One that assumes everyone has fast Wi-Fi, a credit card, and the patience to navigate Google’s app store. For la gente who survives on used phones and prepaid data? The system just got harder.
Why this matters for us: Your $50 phone just got a lot less free — and Google’s the one deciding what ‘real’ internet looks like.