Back to the issue
education_techMay 14, 2026Issue #4

Canvas got hit twice. Here's what every district should ask their vendors right now.

In May 2026, the hacking group ShinyHunters breached Instructure's Canvas learning management system. Not once — twice. They walked away with roughly 3.65 terabytes of data covering 275 million users across 8,809 institutions worldwide. Student names. School emails. Student ID numbers. Private messages between students and teachers.

Canvas runs the back end at 41% of North American higher-ed institutions and thousands of K-12 districts. If your district uses Canvas — even peripherally — you're in this number. Instructure paid the ransom. The attackers say the data is destroyed. The trust damage isn't.

We're not writing this to scare anyone. We're writing this because there's a clear lesson every superintendent, principal, IT director, and school board member should walk away with — and it's not about Canvas specifically. It's about how schools choose their tech vendors.

### How they got in

Instructure ran a program called "Free-For-Teacher." Any teacher — anywhere — could sign up without institutional verification. No district approval, no domain check, no vetting. That free tier ran on the same infrastructure as the paying customers. Same servers. Same database. Same physical machines.

ShinyHunters didn't break down the front door of any paying school district. They walked through the front door of Free-For-Teacher with a free account, and from inside the same shared infrastructure, pivoted into production data belonging to schools that paid Instructure to keep that data safe.

This is the multi-tenant SaaS model. Your data is sitting in the same room as every other customer's data, separated by a software wall. Sometimes those walls hold. Sometimes — like here — they don't.

Shared cloud tenancy

District A District B District C Free-For-Teacher (unverified signups) One weak tenant → everyone's data exposed

On-premise sovereignty

Your district Obsidian AI (on your hardware) student data — never leaves No shared tenants. No backdoor. No ransom.
The Canvas breach happened on the left. Brown Forces builds on the right.

### What it means for your district

Three concrete things are about to land on superintendents' desks if they haven't already:

Spear-phishing. Attackers now have student emails, names, and which school they attend. The next 6–12 months will bring targeted phishing aimed at families — "Hi, this is Principal X from your son's school, can you click here to verify..." Train your staff and warn parents now.

FERPA exposure. Federal student-privacy law was likely violated. Your district's compliance officer should be on a call with legal counsel this week — not next month.

API integration cleanup. Most districts pipe Canvas data through ten or more other tools — gradebooks, attendance, parent apps. If Canvas leaked, anything downstream that authenticated against it may need credential rotation and audit.

### Four questions every district should be asking every vendor right now

It doesn't matter if it's Canvas, Google, Microsoft, Zoom, or the next ed-tech startup pitching at the school board meeting. Ask these:

1. Where does our student data physically live? Country, region, data center. If they can't answer in one sentence, that's the answer.
2. Is our data isolated, or shared infrastructure with other customers? "Multi-tenant" means shared. Ask what physically separates your district from the rest.
3. Do you have a free tier connected to our production environment? This is the Canvas-shaped question. If yes, that's a backdoor with your name on it.
4. Can we run this on our own hardware? On-premise is a real option. Vendors who say "no, never" are telling you something about their priorities.

### What Brown Forces builds for

We've been saying this for two years: when your data lives on someone else's cloud, behind a free-tier signup form, on shared infrastructure with strangers — you have given up control. Sovereignty isn't optional. It's the foundation.

Obsidian AI is the on-premise AI appliance we built for organizations that can't afford to lose control of their data. It runs in your building, on your hardware, behind your firewall. No multi-tenant anything. No free tier connected to your production. No shared infrastructure. The thing that just happened to Canvas can't happen to Obsidian, because the architecture doesn't allow it.

If you're a district administrator reading this and you want a thirty-minute conversation — no sales pitch, just "what are my real options" — reach out to me directly. Salvador Alvarez, founder. salvador@brownforces.io.

We didn't build Obsidian as a response to Canvas. We built it because we already saw this kind of breach coming. The Canvas event is the first big public proof, not the last.

Why this matters for us: A district in the Coachella Valley with 80% Latino students has the same data-sovereignty rights as a tech company in Palo Alto. When a vendor breach exposes our kids' names, IDs, and teacher messages, the harm doesn't fall evenly — our communities have less margin for the consequences. Sovereignty isn't just a security choice. It's an equity choice.

#education#data-sovereignty#breach#obsidian-ai#k-12#canvas#equity
← Back to the issue

Daily issue · no spam

Get the daily on your stoop

One short email a day — AI, tech, and what it means for our communities. Plain language, cultural lens, no Silicon Valley jargon.

By subscribing you agree to receive the daily issue. Unsubscribe anytime from any email.