Instructure breach exposes student data, Canvas systems taken offline for review

A breach at Instructure, the company behind Canvas, exposed student data and pushed parts of the learning platform into maintenance as the company worked to contain the damage. The incident matters far beyond one vendor: Canvas is embedded in schools and universities nationwide, which means a single compromise can ripple across classrooms, districts and campus systems at scale.

Instructure confirmed the cybersecurity incident and said it was working with outside forensic experts. The company said the attack was tied to social engineering involving its Salesforce instance, and it said no Instructure products or product data were accessed in that earlier 2025 incident. Even so, its public status updates showed Canvas Data 2, Canvas Beta and Canvas Test placed under maintenance during the investigation.

The company also reissued certain application keys as a precaution, forcing some end users to re-authorize access to connected tools. On May 4, 2026, Instructure said Canvas Data 2 should now be available for all customers, while Canvas Beta and Canvas Test remained under maintenance. Prior status updates were posted on May 1, May 2, May 3 and May 4, a sign that the company was still working through the scope of the incident as schools depended on the platform.

Reporting based on Instructure’s disclosures said the exposed data included names, email addresses, student ID numbers and messages between users. Instructure said it found no evidence that passwords, dates of birth, government identifiers or financial information were compromised. That distinction still leaves a serious privacy problem for minors and students whose records, identifiers and communications may have been exposed to unknown actors.

The hacking group ShinyHunters claimed responsibility and said it stole data tied to about 275 million users across nearly 9,000 schools. Those figures came from the group’s own claim and have not been independently verified. Still, the scale of the claim underscores the leverage ed-tech vendors hold over public education, where school systems often rely on a small number of platforms to manage assignments, messages and student records.

Instructure’s Trust Center says the company’s chief information security officer oversees breach response and that incident reports are meant to explain lessons learned and future prevention steps. For families and school systems, the larger question is whether those steps will translate into real control over the platforms that hold student data in the first place.