a teacher opened a canvas support ticket in april carrying hidden code; three days later a support agent opened it, silently executing code in their browser, and within a week a known data-extortion group claimed 3.65 terabytes covering 275 million student accounts across 8,809 institutions. the chain exploited a stored cross-site-scripting flaw, weak session scoping and a missing security header. the scale — a quarter-billion students from one support ticket — is unusually large for a single education-platform compromise.