Instructure, the American company behind Canvas and QLearn, has been breached, and the data sitting inside that breach belongs to children.

The exposed information includes children’s names, school email addresses, school locations, student ID numbers, and, in some cases, the contents of user messages.

What has been taken is enough to send a parent a believable email that appears to come from the school. It is enough to write a child a believable message that looks like it came from a teacher. Enough to test those school email addresses against a hundred other consumer platforms a young person has signed up to with the same address, and watch quietly to see which doors open. It is the standard mechanism of how modern attacks against schools begin.

When a tech vendor reports a breach as “limited” because the most obviously sensitive fields were not taken, what they are quietly doing is shifting the cost of the incident onto the schools and families who now have to live with the consequences for years. The platform’s reputational risk window closes inside a news cycle, but the exposure window for a twelve-year-old whose name, school and student ID are now circulating on a forum somewhere does not close at all.

A school email address quietly moves through every learning platform, every cloud backup, every shared document, every authentication system, and every third-party tool the school has integrated over the years, very often under tight timelines and tighter budgets, and almost always before any of us understood the kind of attack pattern we are now living with.

When that credential is compromised, even partially, attackers do not need to break in through the front door; they can walk in through a side gate set up years ago, in good faith, when nobody was yet thinking about exactly this scenario.

There is a question every parent and carer can ask their child this week, and it will probably be the most useful conversation they have all term:

Have you ever used your school email to sign up for anything that was not actually for school? 

The honest answer, in almost every household, is yes, and usually yes, many times across many platforms, including social media, Discord, gaming sites, online shopping, homework helper apps, meme generators, and the occasional random sign-in for a friend’s birthday RSVP.

Children do this because they have always been handed an email address without much explanation of the architecture sitting behind it, and have been quietly expected to understand information governance on their own. Safe on Social teaches this in our student and staff sessions because this is one of the parts of school technology that schools and families still need to learn together continuously.

What is worth saying clearly this week to students, staff and families.

A school email is for school - Not for gaming, shopping, social media, or signing up to apps and platforms that have nothing to do with learning, because every one of those external sign-ups is a small private door that ties back to the school’s identity system, and every one of those doors will eventually be tested by someone.

Strong, unique passwords across every account - Use two-factor authentication wherever it is offered; it is no longer a luxury for tech-savvy families. It is simply the seatbelt of modern digital life, and they belong on every account that matters.

Do not open unexpected emails - Those that reference the school, the platform, the breach itself, or any "verify your account request" should be treated with healthy suspicion, because the phishing wave that follows breaches like this one is predictable, well-resourced and tailored to look plausible to the people who are already busy and tired and trying to do the right thing.

The rule of thumb for every child and every staff member is simple: If a message creates urgency, slow down, because urgency is the engine of almost every successful attack. And if anything looks odd, the right move is to report it to the school first, before clicking, forwarding, or deleting.

A few practical steps families can take this week

Check whether your child has reused their school password anywhere else - If they have, make sure you clearly explain they are not in trouble - but there has been a breach and why there is a need to change those passwords immediately, especially on gaming, social media, shopping, streaming, or Discord accounts. Consider moving non-school accounts away from school email addresses. Where practical, create a separate personal email account for gaming, social media, shopping, and entertainment so the school identity system is not connected to every part of a child’s online life.

Review what apps still have access to the school account - Many children sign into apps once and forget about them. Spend fifteen minutes together looking through connected apps and removing anything unnecessary or unfamiliar.

Talk to children about believable scams before they happen - Explain that attackers may now know their school name, year level, email format, teacher names, or learning platforms. The goal is not to instil fear, but to help children recognise that a message can look real yet be fake.

Remind children that schools will never ask for passwords by email or direct message - Any request to “verify,” “unlock,” or “confirm” an account should be checked directly with the school first.

Watch for emotional manipulation, not just technical tricks - Modern phishing attacks often create urgency, fear, embarrassment, curiosity, or pressure. “You are in trouble.” “Your account will be deleted.” “Your assignment failed to upload.” Slowing down matters.

Encourage children to speak up early - Children often hide what they think are mistakes online because they fear punishment or losing access to devices. The earlier a school or family knows something suspicious has happened, the easier it is to limit harm.

None of these steps makes a family ‘perfectly secure,’ but they do reduce risk significantly and help children build stronger digital habits over time.

The harder conversation is one we are all in together. Cybersecurity in education has quietly become a board-level issue, and our governance and compliance frameworks, like everyone else’s across every sector, are still catching up to that reality. It now sits squarely within operational risk, child safety, duty of care, business continuity, and reputational management, and it is no longer something that can be handled by school IT teams alone, who, in most schools, are already stretched thin and doing extraordinary work with very limited resources.

The decisions about which third party platforms to procure, what data those platforms can access, how that access is reviewed, and what is supposed to happen when one of them is breached, are leadership decisions that affect children. They deserve the same scrutiny that a school excursion risk assessment receives, because the digital footprint a child carries out of a school is far larger and far longer-lived than any physical one. Schools and families cannot carry this on their own, and platforms will not carry it without sustained pressure from everyone else at the table.

None of this requires fear-based messaging.

Panic and fear are the laziest tools in the toolbox, and almost always backfire, especially with people who are already carrying more than they can comfortably hold.

What works, in classroom after classroom and staffroom after staffroom, is calm, repeated, plain language education, year-round, anchored in real examples, and delivered without judgment of children, of parents, or of the schools that are absorbing more digital risk every year while still being expected to teach reading and writing and everything in between.

If you would like to work with us with regard to onsite education, policy and governance, or advice, please reach out hello@safeonsocial.com

If you’ve made it all the way to the end, thank you. These pieces take time (usually more than I ever expect), a lot of reading, and a fair bit of quiet thinking to turn complex policy and law into something that actually makes sense in real life. If you find this work helpful, grounding, or even just a little clarifying, subscribing is a simple way to support it. It helps me keep doing this slowly, carefully, and without rushing past the details that matter. No pressure, ever. But if you’d like to be part of keeping this kind of work going, you can choose from the options you will see when you click here