Instructure Canvas Data Breach 2026

Last Updated on May 7, 2026 by Arnav Sharma

If your institution runs on Canvas, you’ve probably already received a notification from Instructure this week. If not, you will soon. Either way, here’s the full picture of what happened, what data was exposed, and what your security team should be doing right now.

---

What Happened

On April 30, 2026, attackers gained access to systems belonging to Instructure, the company behind the Canvas learning management system. The attack exploited a vulnerability in Instructure’s cloud environment. By May 1, Instructure had confirmed the breach publicly and taken parts of its service offline, including Canvas Data 2 and Canvas Beta, while it worked to contain the damage.

The group that claimed responsibility is ShinyHunters, a well-known cybercrime collective with a track record of large-scale attacks against cloud platforms. They’ve been linked to breaches at Ticketmaster, multiple universities, and now Instructure. This isn’t a group that makes idle threats.

On May 3, ShinyHunters listed Instructure on its data leak site and released 3.65 terabytes of data as proof. Their post claimed the theft of data from 275 million individuals across nearly 9,000 schools, universities, and online education providers worldwide.

---

The Extortion Play

The pattern here is textbook ShinyHunters. They go for scale, then apply pressure.

After claiming the breach, they issued a deadline. “This is a final warning to reach out by 6 May 2026 before we leak along with several annoying [digital] problems that’ll come your way,” they wrote on their forum. They also threatened to release “billions of private messages” between students and teachers unless Instructure paid a ransom.

When Instructure didn’t engage, ShinyHunters published a list of the nearly 9,000 affected institutions on May 5, including all eight Ivy League universities. That same list reportedly includes institutions across the UK, Europe, and Asia-Pacific, with roughly 15,000 entries depending on the source.

It’s worth reading between the lines here. Financially motivated groups routinely inflate breach claims to generate media pressure and push victims toward paying. The 275 million figure is ShinyHunters’ number. Instructure has not confirmed that scale. Even so, the data samples verified by TechCrunch and the Daily Pennsylvanian were real, containing names, email addresses, student ID numbers, and messages.

---

What Data Was Actually Exposed

Based on Instructure’s own statements and independently verified data samples, here’s what we know was involved in the breach:

• Names
• Email addresses
• Student ID numbers
• Messages between users (internal Canvas messages, potentially including phone numbers and addresses in some cases)

Instructure’s Chief Information Security Officer Steve Proud confirmed the incident was “perpetrated by a criminal threat actor” and stated that the investigation is ongoing. He was direct about what wasn’t found: “At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved.”

That’s important context. No passwords. No financial information. No government identifiers. The breach is serious, but it’s not the worst-case scenario.

ShinyHunters also claimed to have accessed Instructure’s Salesforce instance, though this has not been confirmed by the company.

---

Who’s Affected

More than 40% of higher education institutions in North America use Canvas. The canvas platform is one of the most widely deployed learning management system tools globally, which is exactly why it’s such an attractive target.

The breach affecting data from 275 million records, if accurate, would make this one of the largest education sector breaches on record. Australian institutions are in scope as well. Hackread.com confirmed the full list includes institutions across the UK, Europe, and Asia-Pacific regions. If your university or school district uses Canvas, assume you’re on that list until you hear otherwise.

---

How Instructure Responded

Instructure moved quickly once the breach was confirmed. According to their public status log, the company:

• Patched the exploited vulnerability
• Rotated API keys and application credentials (which forced third-party integrations to re-authorise)
• Brought in an external forensics firm to support the investigation
• Notified law enforcement
• Began the process of notifying affected institutions

By early May 6, Canvas Data 2 and Beta had been restored for most customers. Canvas Test remained under maintenance.

The company has not publicly disclosed the specific vulnerability that was exploited. They’ve also declined to comment on the ransom demand. Given that Instructure chose not to engage with ShinyHunters, institutions should assume the data will be released publicly.

A forensics investigation like this takes weeks. Expect updates from Instructure to continue as the picture becomes clearer.

---

What Australian and Global Schools Should Do Now

For IT and Security Teams

• Reset your third-party integrations. Because Instructure rotated API keys as part of containment, any external tools connected to Canvas via token-based authentication may have lost access. Audit your integration list. If a connection broke, that’s your signal to re-authorise cleanly and review what data each integration can see.
• Treat user messages as compromised. If your staff and students use Canvas messaging, assume that data is now in attacker hands. Alert your communications team so they’re ready if students start getting targeted phishing or SMS messages using real names, course names, or teacher details.
• Brief your help desk. The most likely second-order attack here is phishing. Students and staff will get convincing messages that appear to come from their institution, referencing real classmates, real subjects, and real assignments. Your help desk needs to know what’s happening so they can triage those calls properly.
• Check for downstream exposure. For students using the same password across Canvas and other accounts, that’s a real risk even though login credentials weren’t directly confirmed in this breach. Encourage password resets and push multi-factor authentication hard.

For Parents and Students

Avoid clicking links in unsolicited messages, even ones that look like they’re from your school. If you get an unexpected email or SMS asking you to log in, go directly to your institution’s official site instead of following any link in the message.

If you reuse passwords, now is the time to fix that. A password manager makes it easy to give every account its own credential.

For Risk and Compliance Teams

Your vendor risk assessments need to account for this. Instructure is a critical third-party supplier for many institutions. A cybersecurity incident involving a supplier of this scale is exactly why third-party risk management programs exist. If your program doesn’t include education technology vendors, that’s a gap worth addressing.

---

The Bigger Problem: Education Tech as an Attack Surface

The Instructure breach isn’t an isolated incident. PowerSchool was breached earlier this year, affecting 62 million students. Infinite Campus was targeted by ShinyHunters as well. Universities at Penn, Princeton, and Harvard have had their Canvas instances caught up in this breach.

The pattern is consistent. Education platforms hold enormous amounts of personal data, often with weaker security controls than financial or healthcare systems. They’re cloud-hosted, heavily integrated with third-party tools, and relied upon by institutions that often have limited security budgets.

What happened to Instructure is a preview of what’s coming for any LMS or education information technology platform sitting on a similar architecture without rigorous vulnerability management.

Three things stand out from a security architecture perspective:

1. Cloud vulnerabilities get found. The specific CVE here hasn’t been disclosed, but ShinyHunters confirmed the access came through a cloud vulnerability that has since been patched. Patch velocity matters. If you’re a vendor, your time-to-patch window is now measured in days, not weeks.
2. API access is a real attack surface. When Instructure rotated credentials to contain the breach, it disrupted thousands of third-party integrations. That’s a signal about how much data flows through API connections that institutions often don’t fully audit.
3. Extortion-based cybercrime is not slowing down. ShinyHunters’ model is efficient. Find a high-value target, exfiltrate at scale, threaten public release. The ransom demand, by their own account, “was not even as high as you might think.” That’s deliberate. They price it to make payment tempting.

---

Bottom Line

This is a serious breach involving real data from millions of students, teachers, and staff. Passwords and financial information appear to be out of scope based on what’s confirmed so far, but that can change as the forensics work continues.

If your institution uses Canvas, act now. Audit your integrations, brief your staff, and prepare your communications for the phishing wave that will follow once ShinyHunters releases the full dataset.

Instructure informed affected institutions as quickly as they could and has been transparent in their public updates, which is more than can be said for many breach responses. The investigation is ongoing. Watch Instructure’s official status page for the latest.

The harder lesson here is about third-party risk. When a vendor that sits at the heart of your institution’s academic operations gets breached, you feel it regardless of what your own security posture looks like. That dependency is the risk.