The breach involves Instructure, the parent company of Canvas, a web-based learning management system used daily by educators and students for coursework, assignments and communication. Thousands of institutions and millions of users have reportedly been affected, including the University of Pennsylvania.
According to the university's newspaper The Daily Pennsylvanian, the hackers reportedly wrote in Penn's Canvas page that any university that does not wish to have its data released should contact the group before May 12.
Students at Penn said they have not received official communication about the incident, though some are aware of the reports. Experts are urging vigilance as the situation develops.
"The one thing that stands out with this attack is its sector-wide. We have a vendor that's used by almost the majority of education institutions around the country," said Rob D'Ovidio, an associate professor in Drexel University's Department of Criminology.
Canvas plays a central role in students' academic routines, serving as a hub for assignments, schedules and communication.
"We use canvas for all our classes, usually professors put our assignments on there. Pretty big part of our day-to-day life," said Charles Shen, a junior.
"I think everything these days is all on Canvas... even for my calendar," said senior Eric Zuckerman.
While experts say highly sensitive personal information such as Social Security numbers, passwords and usernames has not been compromised. Other data has been exposed, including names, email addresses, messages and student ID numbers.
Still, students remain a prime target for scammers who may use the information obtained in the breach to launch phishing attacks or other fraudulent schemes.
"If I was a Canvas user at an institution that was compromised, I'd be on the lookout for phishing attacks," D'Ovidio said.
Experts believe the group behind the breach may not use the data directly but could sell it to others, increasing the likelihood of targeted scams.
"Once they get this basic information, name, student ID, email, you become an increased risk you'll be targeted," D'Ovidio said.
Despite the scale of the breach, some students say cyber incidents have become so common that they no longer come as a surprise.
"It's almost like this desensitization," said Sarah Parmet, a freshman.
The group responsible for the breach is reportedly demanding a large payout from affected institutions and is threatening to release the data if payment is not made. Experts recommend against paying such demands and instead advise affected users to monitor their accounts closely and be cautious of suspicious emails or messages.
As school institutions assess the extent of the breach, officials and cybersecurity experts continue to urge caution among students and staff who rely on the platform every day.
Action News has reached out to the University of Pennsylvania for comment, but we have not heard back.