A single support ticket allegedly became the entry point for one of the biggest EdTech security incidents of 2026. The Canvas breach shows how stored XSS, weak session scoping, and missing browser-layer defenses can turn a routine help-desk workflow into a large-scale data exposure.
This breakdown walks through the attack chain: malicious ticket content, hijacked support session, API abuse, ShinyHunters’ role, CSP failures, and the practical lessons SaaS and EdTech teams should take seriously.
The convergence of stored XSS in support tickets and weak session scoping creates a perfect storm for lateral movement, effectively bypassing perimeter controls. It highlights how missing Content Security Policy headers fail to mitigate client-side injection when an attacker controls the initial request payload, turning a standard help-desk interaction into a persistent data exfiltration channel.