Canvas Data Breach: 275 Million Student Records Stolen (2026)
On May 1, 2026, hackers from the group ShinyHunters breached Instructure, the company behind Canvas - the learning management system used by 41% of US colleges and thousands of K-12 schools worldwide. They stole 3.65 terabytes of data covering an estimated 275 million records, including student names, email addresses, student IDs, and private messages between students and teachers. The group threatened to leak the data unless schools paid ransom by May 12. It is the largest education data breach on record. If you or your children use Canvas, here is what was exposed, what to do, and why school platforms deserve the same scrutiny as any other cloud service holding your family's data.
What happened to Canvas
Canvas is the dominant learning management system in the United States. Schools use it for assignments, grades, discussions, and messaging between students and teachers. Instructure, the Utah-based company that owns Canvas, serves over 8,800 educational institutions worldwide.
On May 1, 2026, Instructure posted a notice on their status page acknowledging a cybersecurity incident. By May 2, they confirmed that data had been exfiltrated. The hacking group ShinyHunters - the same group behind the 2020 Tokopedia breach and the 2024 AT&T breach - claimed responsibility and posted a ransom note on May 3.
ShinyHunters said they had stolen 3.65 terabytes of data from approximately 8,809 schools, universities, and educational institutions across the globe. They gave Instructure until May 6 to respond, and individual schools until May 12 to negotiate a settlement. The exposure window lasted from April 30 to May 7, 2026.
Canvas went offline during the investigation, stranding students in the middle of finals week at dozens of universities. The system came back up within hours, but the data was already gone.
What data was stolen
Instructure confirmed that the breach included names, email addresses, student ID numbers, and user messages. The messages are the most concerning part: Canvas is where students communicate with teachers, submit assignments, and discuss grades. Those conversations contain personal context that no one expects to become public.
Instructure stated they found no evidence that passwords, dates of birth, government identifiers, or financial information were compromised. But 275 million records of names, emails, and private messages is still an enormous exposure. ShinyHunters claimed access to"several billions of private messages" in their ransom note.
| Data type | Confirmed stolen | Risk level |
|---|---|---|
| Names | Yes | Medium - identity correlation |
| Email addresses | Yes | High - phishing, spam, account enumeration |
| Student ID numbers | Yes | Medium - institutional identity theft |
| Private messages | Yes | High - personal context, harassment potential |
| Passwords | No evidence | Low (but change them anyway) |
| Financial data | No evidence | Low |
How ShinyHunters got in
Instructure confirmed the exploit was related to their Free-For-Teacher accounts - a feature that lets teachers sign up for Canvas without going through their school's IT department. ShinyHunters used these accounts to gain initial access, then escalated privileges to reach the production database.
After the initial breach was contained, ShinyHunters launched a second wave on May 7, defacing login pages at several universities. This secondary attack exploited the same Free-For-Teacher account pathway, suggesting Instructure's initial fix was incomplete.
The pattern is familiar: a convenience feature meant for individual users becomes the entry point for a massive breach. It is the same pattern behind contractor-related breaches and third-party data exposures. The weakest access point determines the security of the whole system.
Why school platform data matters more than you think
Most people evaluate privacy risks for apps they choose to use - their photo storage, their messaging platform, their social media. But school platforms are different. Students don't choose Canvas. Their school mandates it. A 14-year-old has no say in whether their messages to their teacher live on Instructure's servers.
This is the same problem with any system where one institution makes the technology choice and millions of individuals bear the privacy risk. It's why school photo sharing deserves careful thought: the photos, messages, and data your children share through school-mandated platforms are only as safe as the vendor's security practices.
Canvas held private messages between students and teachers. Some of those conversations involved academic struggles, disciplinary issues, mental health concerns, or family situations. That context, now in the hands of a criminal group, has real potential for harassment, blackmail, or targeted phishing of minors.
What families should do right now
If you or your children used Canvas at any point before May 7, 2026, assume your data was included. Here is what to do:
- Change your Canvas password immediately. Even though Instructure said passwords were not compromised, the stolen email addresses make you a target for credential-stuffing attacks. If you used the same password elsewhere, change those too.
- Watch for phishing emails. With names, emails, and student IDs in hand, attackers can craft highly convincing phishing messages that look like they come from your school. Be suspicious of any email asking you to log in, verify your account, or click a link - even if it references your specific school or student ID.
- Review what your children share on school platforms. Talk to your kids about what kind of information they put in Canvas messages. Going forward, keep personal conversations and photos off school-mandated platforms.
- Ask your school about their response. Your school should have received a notification from Instructure. Ask them what data was specifically exposed for your institution, whether they have a monitoring plan, and what alternative platforms they are evaluating.
- Set up credit monitoring for minors. Stolen student data is particularly valuable to identity thieves because children's credit goes unchecked for years. Consider freezing your child's credit with the three major bureaus.
Try Viallo Free
Share your photo albums with a single link. No account needed for viewers.
Start Sharing FreeThe pattern: education platforms are soft targets
Canvas is not an isolated incident. The education technology sector has been hit repeatedly because schools prioritize functionality and cost over security, and vendors know it. PowerSchool was breached in 2024. Illuminate Education exposed 820,000 student records in 2022. The MOVEit breach in 2023 hit multiple school districts through a file-transfer vendor.
The pattern is consistent: school IT departments are understaffed, vendor security audits are minimal, and students have no choice about whether to use the platform. Canvas alone held data from 41% of US higher education institutions. One vulnerability, 275 million records.
This is also why keeping personal photos and family content off school-mandated platforms matters. Schools may require your child to use Canvas for homework, but they should not be the place where your family shares photos, personal updates, or anything beyond what's academically necessary.
Keep personal and school data separate
The lesson from the Canvas breach is broader than one platform: any service you are required to use, rather than choosing to use, deserves extra scrutiny. You control what you put on those platforms, even if you can't control the platform itself.
For family photos and personal sharing, use a dedicated platform where you control access. Viallo is a private photo sharing platform that stores photos on EU-based Cloudflare servers with no AI scanning, no message mining, and no data sold to third parties. You can share albums through a link - recipients view photos in their browser without creating an account, downloading an app, or giving up their own data. If a school breach happens, your family photos are in a completely separate system.
The practical rule: school platforms get schoolwork. Personal photos, family conversations, and anything you would not want leaked in a breach go on a platform you chose and control.
What happens next
ShinyHunters set a May 12, 2026 deadline for schools to negotiate a settlement. Whether Instructure or individual schools pay the ransom - or whether the data gets leaked publicly - remains uncertain. History suggests the data will eventually surface on dark web forums regardless of payment.
Instructure will face regulatory scrutiny under FERPA (the Family Educational Rights and Privacy Act), which governs student education records. Several universities have already launched their own investigations. Class-action lawsuits are likely given the scale - 8,809 institutions and potentially hundreds of millions of affected individuals.
For families, the immediate risk is phishing. The longer-term risk is identity theft targeting minors. And the systemic risk is that we keep entrusting massive amounts of personal data to education vendors with minimal security requirements.
Try Viallo Free
Share your photo albums with a single link. No account needed for viewers.
Start Sharing FreeFrequently Asked Questions
What is the best way to protect my child's data after the Canvas breach?
Change your child's Canvas password immediately and enable two-factor authentication if available. Freeze your child's credit with Equifax, Experian, and TransUnion to prevent identity theft - stolen student data often goes undetected for years because minors don't check credit reports. Viallo keeps family photos completely separate from school platforms, stored on EU servers with no data shared with third parties. Going forward, keep personal conversations and photos off school-mandated systems.
How do I check if my school was affected by the Canvas data breach?
Contact your school's IT department directly - Instructure notified affected institutions and they should be able to confirm. You can also check Instructure's status page for updates. ShinyHunters claimed 8,809 schools were affected worldwide, with 41% of US colleges using Canvas. If your school uses Canvas and you had an active account before May 7, 2026, assume your data was included until told otherwise.
Is it safe to keep using Canvas after the data breach?
Instructure patched the Free-For-Teacher vulnerability and Canvas is back online. However, the stolen data cannot be un-stolen. The platform is likely safe to use for its intended purpose - coursework and grades - but treat it as a work tool, not a personal one. Don't share personal photos, sensitive information, or anything beyond academic content through Canvas messages. Google Photos and iCloud offer more mature security practices for personal content, and Viallo offers EU-hosted storage with no content scanning for private family sharing.
What is the difference between a school data breach and a photo storage breach?
School data breaches expose information you were required to provide - your child had no choice about creating a Canvas account. Photo storage breaches expose content you chose to upload. The key difference is consent and control. With photo platforms like Viallo, you decide what to upload, who can see it, and when to revoke access. With school platforms, your child's participation is mandatory and the security decisions are made by school administrators and vendors you never vetted.
Can hackers access my family photos through school platforms like Canvas?
If you or your children uploaded photos or shared images through Canvas messages, those files were potentially included in the breach. Canvas is designed for academic work, but students routinely attach images and share files through its messaging system. Viallo keeps family photos on a completely separate infrastructure - EU-based Cloudflare servers with encryption at rest, no third-party data sharing, and sharing via private links that you can revoke or password-protect at any time. The safest approach is to keep personal content off platforms you don't control.