Was this forwarded to you by a friend? Sign up, and get your own copy of the news that matters sent to your inbox every week. Sign up for the On EdTech newsletter. Interested in additional analysis? Upgrade to the On EdTech+ newsletter.

For years, EdTech’s relative obscurity was part of its security model. Not formally, of course. Vendors still ran penetration tests, security reviews, code scans, and audits. But there was a practical reality: compared with banks, cloud infrastructure, crypto exchanges, or major consumer platforms, most EdTech systems were not worth the same level of attacker effort at least on the core products themselves.

AI may be changing that calculation.

The May Canvas breach should be read in that context. This was not simply a repeat of the September 2025 Salesforce incident, which appears to have been primarily a social-engineering attack against Instructure’s business environment. The May 2026 Canvas incident appears to have been quite different in nature: attackers found product-level vulnerabilities, then built the social engineering around those vulnerabilities.

That distinction matters. In an interview last month with Zach Pendleton, Instructure's Chief Architect, what he described does not begin with a manipulated support agent. What he described does not begin with a manipulated support agent. It begins with cross-site scripting vulnerabilities in Canvas. The attackers were able to plant a malicious script in uploaded course material. That script sat dormant until a support agent clicked through to review the material, triggering the script inside the agent’s own session — a session with permissions that extended beyond the course where the material had been uploaded.

Instructure scans and tests for these types of scripts, but the hackers found out where there were missing protections. Pendleton was candid about how the vulnerabilities were found, which is to say that they were not found ahead of time by Instructure. The company runs an annual penetration test, maintains an internal security team, runs static analysis against its own code, and operates a bug bounty program that pays outside researchers to surface exactly this kind of flaw. None of those layers caught the two vulnerabilities before the attackers did. The people who breached Canvas caught both. The social engineering that has led most coverage of the breach was the delivery mechanism, not the whole attack.

The same group, against the same vendor, moved within eight months from the low-effort attack to the high-effort one. That is the new game EdTech needs to understand.

It helps to set this breach against the one before it, in September of last year. That earlier attack by ShinyHunters was different in nature. It was social engineering against the company's Salesforce instance, peripheral business infrastructure, with no Canvas product involvement. That was the cheap way in: find the right person, use the access they have, take what it allows. The primary May breach was not that. This time the entry point was the product itself, vulnerabilities in Instructure's production systems, with the social engineering rebuilt around what the flaws made possible. The shift in approach from the same attackers against the same target is interesting in itself. The question that raises is not just how the attackers did it. It is why it had become worth doing.

I have argued before that Gen AI is not improving along a smooth line but through paradigm shifts, and that the most consequential of them arrived late in 2025, when agentic tools grew reliable and cheap enough to carry out real multi-step work rather than merely assisting with it. The example I used at the time was my own: a piece of data visualization I could not have justified attempting a year earlier, not because it was impossible but because the effort outweighed the result, became feasible almost overnight. The shift did not make me faster at work I was already doing. It moved a whole category of work out of the column marked "worth doing but not worth the effort" and into the one marked "done."

The same shift applies to the ShinyHunters group that targeted Canvas in the cyber attacks, and it applies in the same manner. Reading a large codebase closely enough to find detailed weaknesses was never impossible. For a target like EdTech, however, it was usually not worth the time, because the data was only moderately valuable and the labor was real and better spent elsewhere. What changed last year is not that the work became possible but that it became cheap, and cheap enough to move attacking a mid-value sector out of what was often in the "not worth it" column and into the "worth it" one. The capability had been visible earlier, in autonomous systems that were already finding real vulnerabilities and outscoring human researchers through 2025, but the broad, low-cost, reliable version is recent. It is the cost, and not the novelty, that moves the calculation.

Pendleton said nothing about whether AI played any part in finding the Canvas vulnerabilities. My own read is that it defies belief to think AI played no role. Locating two specific flaws on the minority of surfaces where sophisticated testing happened to be missing is patient work that used to take skilled people a good deal of time, and that time was the cost that made it expensive. A group that does this for a living knows the cost has fallen, and would have every reason to use what is now available to them.

The recent capability to discover long-hidden vulnerabilities is not hypothetical, and almost none of the public evidence comes from education. In late 2024, Google Project Zero and DeepMind reported that their Big Sleep agent had found a real-world exploitable vulnerability in SQLite. In July 2025, Google reported a more striking case: Big Sleep found CVE-2025-6965, a critical SQLite flaw that Google said was known only to threat actors and was at risk of being exploited. Soon after, Google reported that Big Sleep had found 20 additional security vulnerabilities, mostly in open-source projects such as FFmpeg and ImageMagick. In mid 2025 XBOW, an autonomous security-testing system led by GitHub Copilot creator Oege de Moor, reached the top of HackerOne’s U.S. leaderboard ahead of thousands of human researchers and in one case matched a senior tester's forty hours of work in twenty-eight minutes.

The obvious objection to the argument of new threat levels enabled by new a new AI paradigm is that the vendors now hold the same tools. If an AI can probe Canvas for flaws for an attacker, it can do the same for Instructure which can find and patch the flaws first. That is true as far as it goes, and it is why this is better understood as a race than as a single new weakness — a race that was most recently lost.

But the race is not symmetric, for two reasons. The first is the old asymmetry of completeness: the defender has to find and fix every exploitable flaw, while the attacker needs only one, and cheaper scanning helps the side whose task ends at a single success more than the side whose task never ends. The second is speed, since a vendor runs its audits on a schedule and then has to coordinate a fix across thousands of institutions, while an attacker runs continuously and moves the moment something surfaces.

There is already evidence that the increased focus on EdTech is happening. ShinyHunters has spent roughly the last year and a half working through education and the technology it depends on, with Instructure multiple times, McGraw Hill, Infinite Campus, and individual universities among the confirmed victims. Just last week, Google said a ShinyHunters-linked campaign had exploited a zero-day in Oracle’s PeopleSoft enterprise software, with higher education making up the majority of U.S.-based targets.

This is the pattern of EdTech that is increasingly becoming worth the trouble.

The question then is whether a sector that was mostly protected for years by being not quite worth attacking has noticed that the protection is gone. The cost of finding the way in has fallen, the calculation that kept attackers focused elsewhere has flipped, and the same tools that make defense cheaper make offense cheaper against a target that is now, for the first time, plainly worth the effort. The new game is already being played. EdTech is in it whether or not the community has fully registered the change.

The main On EdTech newsletter is free to share in part or in whole. All we ask is attribution.

Thanks for being a subscriber.