If your child uses Canvas for schoolwork, or you attend a college or university that runs on it, your personal information may already be in the hands of one of the most active hacking groups operating today.
Instructure, the company behind the Canvas learning management system used by more than 40 percent of colleges and universities in the United States, confirmed a data breach on May 1, 2026. Two days later, the criminal extortion gang ShinyHunters claimed responsibility and listed Instructure on its dark-web leak site, alleging it stole data tied to 275 million users across nearly 9,000 schools. Instructure has not confirmed that scale.
The compromised data includes names and email addresses, student ID numbers, and messages exchanged between users, including students and teachers. Passwords, dates of birth, government identifiers, and financial information were not involved, based on what Instructure has confirmed so far. That's the good news. The bad news is that private academic conversations between students and teachers may now be in criminal hands, and that is more than enough to fuel targeted scams.
Why this matters
Canvas is not a niche product. The iOS student app alone has over 2 million ratings, and the platform operates across more than 100 countries following a $4.8 billion acquisition by private equity firm KKR in 2024. When a platform this central to daily school life gets hit, the breach does not stay contained to one institution. Every school that relies on it inherits the problem simultaneously.
The list of affected institutions published by ShinyHunters includes all eight Ivy League universities. At the University of Pennsylvania alone, the group claims over 300,000 users were affected, and a ShinyHunters member shared a data sample with reporters that included Canvas accounts and internal messages between students and faculty.
The most immediate risk is phishing. With names, institutional email addresses, student ID numbers, and message context available to the attackers, scam emails can be made to look extremely convincing – appearing to come from administrators, classmates, or teaching staff, and referencing real course details. Treat any unexpected Canvas-related email as suspicious until further notice. Go directly to your school's Canvas portal rather than clicking any links.
This is Instructure's second ShinyHunters breach in eight months
In September 2025, Instructure disclosed a separate incident in which a social engineering attack gave threat actors access to its Salesforce instance. ShinyHunters claimed responsibility for that breach, also. Two confirmed breaches in eight months, attributed to the same threat actor, raises serious questions about whether any fixes put in place after the first incident were adequate, particularly given that both appear to involve Salesforce infrastructure and credential-based access.
ShinyHunters' 2026 campaign has hit targets across finance, food delivery, education, and travel, with a playbook that leans on stolen records, dark-web leak-site pressure, and public threats to release data unless paid. Arrests of ShinyHunters associates across Canada, France, Turkey, and Finland appear to have done nothing to slow the pace of the attacks.
What parents and students should do now
If your child's school uses Canvas, change that password immediately, especially if your school allows login with a username and password rather than single sign-on. If your child reuses passwords across accounts, change those too. Give every account its own unique password, and consider using a family password manager (I recommend 1Password Families, which protects up to 5 people for $72 per year).
If your school or district offers multi-factor authentication on Canvas accounts, turn it on. A code sent by text or generated through an authenticator app makes it significantly harder for someone to access an account, even with a stolen password.
Watch your inbox closely for the next several weeks. Any message that references Canvas, your school, a tuition payment, financial aid, or account security – and asks you to click a link – should be verified by going directly to your institution's website or calling the relevant office.
Student data is protected under FERPA in the United States, and the updated COPPA rule that took effect June 23, 2025, tightens consent and breach notification requirements for data belonging to children under 13. If your child is under 13 and their school uses Canvas, your family may be entitled to specific breach notifications under both federal and state law.
Instructure says the incident has been contained and patches have been deployed. Given the company's track record over the past eight months, taking that reassurance at face value requires more trust than the situation has earned.
Read next: ADT refused to pay hackers – now 5.5 million customers' data is public
[Image credit: Suzanne Kantra/Techlicious via ChatGPT]
