Hackers claim data theft from 275 million Canvas users across 9,000 schools

A ransom campaign against Canvas showed how much of American education now runs through one fragile digital nerve center. ShinyHunters claimed it stole 3.65 terabytes of data from Instructure, the Utah-based company behind Canvas, and said the breach reached more than 275 million people across nearly 9,000 schools.

Instructure said it suffered a cybersecurity incident and brought in outside forensics experts and law enforcement. The company said the exposed information appeared to include names, email addresses, student ID numbers and messages among users. It said it found no evidence that passwords, dates of birth, government identifiers or financial information were involved.

The company moved quickly to contain the incident, deploying patches, increasing monitoring, revoking privileged credentials and access tokens tied to affected systems, and rotating application keys. Its status page said Canvas, Canvas Beta and Canvas Test were fully operational again as of May 6, 2026. Instructure also urged customers to enforce multifactor authentication, review administrator access and rotate API tokens or keys where appropriate.

The fallout landed hardest on campuses that depend on Canvas for assignments, announcements, grading and class messages. Users at Harvard University, the University of Pennsylvania, Princeton University and Duke University reported a message on their Canvas dashboards warning that ShinyHunters had breached Instructure and demanding negotiations before a May 12 deadline. The group first gave a May 6 deadline, then extended it. The timing made the incident especially disruptive during finals period, when students and faculty rely on the platform hour by hour.

The episode underscored how a single vendor compromise can ripple across schools at once. Canvas has been a dominant learning-management system in North America, with one 2023 market-share analysis putting it at about 30% by institutions and nearly 38% by students. That reach means a breach at Instructure is not just a corporate security problem; it is an education continuity problem that can affect grading, communications and student trust in thousands of places simultaneously.

The attack also followed a separate social-engineering incident Instructure disclosed in September 2025 involving its Salesforce instance. Instructure said that earlier incident did not access product or product data. Together, the two events have sharpened scrutiny of the company’s security posture and of the emergency plans colleges keep for the digital systems that now carry daily academic life.