A single support ticket allegedly became the entry point for one of the biggest EdTech security incidents of 2026. The Canvas breach shows how stored XSS, weak session scoping, and missing browser-layer defenses can turn a routine help-desk workflow into a large-scale data exposure.
This breakdown walks through the attack chain: malicious ticket content, hijacked support session, API abuse, ShinyHunters’ role, CSP failures, and the practical lessons SaaS and EdTech teams should take seriously.