If you’re a student, teacher, or IT admin and you used Canvas in 2026, your data was almost certainly involved in the largest education breach on record. Here’s the straight story: what happened, what got stolen, and what to do about it.
The hacking group ShinyHunters hit Instructure, the company that runs Canvas LMS, in late April. By the time the dust settled in mid-May, the attackers claimed access to data on roughly 275 million people across nearly 9,000 schools and universities worldwide. Instructure ended up paying the ransom on May 11.
The Canvas breach timeline in plain English
The attack didn’t happen in one shot. It rolled out over more than two weeks, and the dates matter:
- April 25, 2026. Unauthorized actors first slipped into Canvas systems. Nobody outside Instructure knew yet.
- April 29. Instructure detected the intrusion, revoked access, and brought in third-party forensics.
- May 1. The breach was confirmed and disclosed publicly. Initial impact assessment was vague.
- May 3. ShinyHunters posted a ransom note claiming 275 million records and “several billion private messages.” Their deadline to negotiate: May 6.
- May 6. Instructure said the incident was contained. It wasn’t.
- May 7. Students logged in to find the Canvas login page replaced with a ransom message from ShinyHunters. The platform was pulled offline. This was the second compromise.
- May 8. Investigators identified the attack vector: a flaw in Canvas’s Free-for-Teacher account system.
- May 11. Instructure paid the ransom, claimed the data had been destroyed, and issued an apology for poor transparency during the incident.
Canvas is back online. The Free-for-Teacher accounts that enabled the attack are temporarily disabled.
Who are ShinyHunters?
ShinyHunters is one of the more active data-extortion groups of the last few years. They’ve been linked to breaches at telecoms, retailers, and SaaS platforms, and they typically work the same playbook: steal data, post proof, demand payment, leak if ignored.
Their breach techniques have leaned heavily on social engineering and credential abuse — voice phishing employees, hijacking weakly secured admin accounts, then quietly exfiltrating before anyone notices. According to KrebsOnSecurity, the Canvas attack looks consistent with that pattern.
What data was actually stolen
This is the question most people care about, and the answer is more nuanced than the headlines suggest.
Confirmed in the stolen data:
- Names
- Email addresses
- Student ID numbers
- User-to-user messages within Canvas (these are the “billions of private messages” ShinyHunters bragged about)
Not confirmed as stolen:
- Passwords
- Dates of birth
- Government IDs
- Financial information
The total dataset weighed in at roughly 3.65 terabytes, according to The Hacker News. That’s a lot of names and inboxes.
One important caveat: “not confirmed” doesn’t mean “definitely safe.” Educational institutions store wildly different things in Canvas. Some districts upload IEPs, attendance records, or grade transcripts. Whether your specific data leaked depends on what your school chose to store in there.
How the attackers got in: the Free-for-Teacher flaw
Canvas offers a free tier called Free-for-Teacher — basically self-service accounts that any educator can spin up without going through an institution’s IT approval. It’s a great onboarding tool. It was also the way in.
According to multiple sources, the vulnerability lived in how these accounts authenticated against Canvas’s broader infrastructure. Once ShinyHunters compromised a Free-for-Teacher account, they could pivot into systems that should have been completely isolated.
This is a recurring story in SaaS security. “Lower-tier” or “free” accounts often get less scrutiny during pen testing because the assumption is they have lower privileges. Attackers know this and aim there first.
Should you be worried?
Depends on who you are.
If you’re a student or teacher who used Canvas: Your name, email, and Canvas messages were probably in that dataset. ShinyHunters claims the data was destroyed after Instructure paid, but no one outside the negotiation can verify that. Treat it as if your Canvas messages are now in the wild.
If you’re an IT admin: Your institution likely got a vendor notification. If you haven’t already, audit what your district uploaded into Canvas beyond the basics. The breach exposed messages, which can contain everything from disciplinary discussions to mental health referrals.
If you’re a parent of a K-12 student: The breach affected K-12 districts as well as universities. Your child’s name, ID, and school correspondence could be exposed. CNN’s coverage highlighted the finals-week chaos this caused at universities, but the K-12 side has been quieter and harder to track.
What to do right now
Five concrete steps, in priority order:
- Change your Canvas password. Even though passwords weren’t confirmed as stolen, password reuse means a leaked email is enough to start credential-stuffing attacks elsewhere.
- Turn on multi-factor authentication. If your institution offers SSO or MFA for Canvas, enable it. Now.
- Be skeptical of Canvas-themed emails for the next 6 months. Phishers love a fresh breach. Expect fake “your Canvas account was compromised, click here to verify” emails.
- Check your school’s official communication. Don’t trust forwards or social media. Go directly to your institution’s IT page for the breach response and what they’re doing about it.
- Ask your institution what was stored beyond the basics. If the answer is “we don’t know,” that’s the problem.
The bigger picture for EdTech
This is the second major EdTech breach in two years. The pattern is hard to ignore: education platforms hold enormous amounts of personal data on a population (minors and young adults) that has very little leverage to push back on security failings. Combine that with thin IT budgets at most school districts and you get easy targets.
The fact that Dark Reading covered a successful second compromise of the same platform within a week tells you something about incident-response maturity in the sector. Containment in one phase doesn’t mean attackers are out. It just means they’re quieter.
Expect more regulatory attention here. The FTC has been hinting at stricter rules for student data; this will probably accelerate that.
Frequently asked questions
Was my Canvas account part of the Instructure breach?
If your school uses Canvas and you used it in 2026, very likely yes. ShinyHunters claimed access to roughly 275 million individuals across nearly 9,000 institutions. There’s no public lookup tool to check a specific account, so assume yes and act accordingly.
Did ShinyHunters steal my Canvas password?
Passwords have not been confirmed as part of the stolen data. Confirmed types are names, emails, student IDs, and Canvas messages. Change your password anyway — credential-stuffing attacks are common after major breaches.
Should I delete my Canvas account?
You can’t usually delete your account unilaterally if it’s tied to an active school enrollment. What you can do is change your password, enable MFA if your institution supports it, and avoid sending sensitive messages through Canvas going forward.
Is Canvas safe to use now?
The specific vulnerability used in this attack (Free-for-Teacher account abuse) has been disabled. Instructure has not yet released a full post-incident report on what else has been hardened. Treat it as more secure than it was on May 7, but assume not bulletproof.
What is the Free-for-Teacher vulnerability?
Free-for-Teacher accounts are self-service Canvas accounts that don’t require institutional approval. The breach exploited a flaw in how those accounts authenticated against the broader Canvas platform, allowing the attackers to escalate privileges. Instructure has temporarily disabled the Free-for-Teacher tier while they fix it.
Did Instructure really pay the ransom?
Yes. According to The Hacker News and Inside Higher Ed, Instructure reached a ransom agreement with ShinyHunters on May 11. The company says the stolen data was destroyed afterward. There’s no way for outsiders to verify that claim.
Sources
- KrebsOnSecurity: Canvas Breach Disrupts Schools & Colleges Nationwide
- The Hacker News: Instructure Reaches Ransom Agreement with ShinyHunters
- Dark Reading: ShinyHunters Claims Second Attack Against Instructure
- CNN: Canvas hack strands college students during finals week
- Wikipedia: 2026 Canvas security incident (timeline reference)
- Inside Higher Ed: Instructure Pays Ransom to Canvas Hackers
Last updated: May 22, 2026.