Hackers claim millions of student and teacher records were stolen in major cyberattack targeting Canvas LMS.

Canvas Data Breach Under Investigation

Instructure Holdings Inc., the company behind the widely used Canvas Learning Management System (LMS), is investigating a major cybersecurity incident that may have exposed sensitive information belonging to students, teachers, and educational staff worldwide.

The cyberattack has been linked to the hacking group known as ShinyHunters, which claims to have stolen more than 3.65 terabytes of data affecting up to 275 million users and nearly 9,000 schools and educational institutions.

If you use or previously used Canvas through a school, college, university, or employer, your information may have been affected.

What Happened?

According to public reports, ShinyHunters listed Instructure on a dark web leak site on May 3, 2026, demanding payment from the company and threatening to publicly release the allegedly stolen data.

The hackers claim they gained access to internal company systems and exfiltrated massive amounts of information associated with Canvas users. The group also alleged that Instructure’s Salesforce environment may have been compromised.

Instructure has confirmed that it recently experienced a cybersecurity incident involving a “criminal threat actor” and stated that outside forensic experts have been retained to investigate the attack.

The company further stated that some user-identifying information and internal messages may have been accessed or exfiltrated during the breach.

What Information Was Exposed?

According to public statements and reports regarding the breach, the compromised information may include:

• Full names
• Student identification numbers
• Email addresses
• Internal Canvas messages and communications
• School-related account information

The hackers additionally claim to possess billions of private messages exchanged between students, teachers, and administrators through the Canvas platform.

At this time, Instructure states there is no evidence that passwords, dates of birth, government-issued identifiers, or financial information were exposed.

What Are the Risks?

Cybersecurity experts warn that the exposed information may still create serious privacy and security risks for affected individuals.

Stolen educational data and private communications could potentially be used for:

• Identity theft and fraud
• Phishing attacks impersonating schools or teachers
• Social engineering scams
• Unauthorized access attempts
• Exposure of sensitive academic or personal discussions

Because Canvas is used by schools, colleges, universities, and organizations around the world, the potential impact of the breach could be widespread.

What Does the Investigation Involve?

Investigators are examining:

• How attackers gained access to company systems
• Whether adequate cybersecurity safeguards were in place
• What categories of information were exposed
• How long unauthorized access may have occurred
• Whether affected users received timely notice of the breach

Data breach investigations often focus on whether companies implemented reasonable security measures to protect sensitive consumer information.

Who Is Affected?

The incident may affect students, parents, teachers, administrators, and staff members who used Canvas through educational institutions or workplace training programs.

Even individuals who have not yet received a notification may still have had information exposed if they used Canvas during the affected time period.

What Should You Do?

If you believe your information may have been compromised, you should consider taking the following steps:

• Monitor your email and online accounts for suspicious activity
• Be cautious of phishing emails or fake school communications
• Change passwords associated with educational accounts
• Watch for unauthorized account access or unusual messages
• Monitor credit reports and financial accounts as a precaution

Taking proactive steps may help reduce the risk of fraud or identity theft.

You May Be Eligible for Compensation

Individuals affected by the Canvas data breach may be entitled to compensation for:

• Out-of-pocket expenses
• Costs associated with credit or identity monitoring
• Time spent addressing fraud risks
• Privacy violations
• Other damages permitted by law

Contact a Data Breach Lawyer Today

If you used Canvas and are concerned that your personal information or private messages may have been exposed, you should explore your legal rights.

Complete the form on this page to speak with a data breach lawyer.

There is no cost to have your claim reviewed, and you may be eligible to participate in a class action lawsuit investigation.

Tags: cyber attack   data breach   Data Privacy   Identity Theft   Personal Identifying Information   ransomware