Cracked padlock on glowing graduation cap symbolizing Canvas school data breach exposure.

Canvas Hack Hits 9,000 Schools, Exposes 275M Students and Staff

cracked padlock on glowing graduation cap symbolizing canvas school data breach exposure.

Hackers stole names, emails, student ID numbers, and private chats tied to roughly 275 million students, teachers, and staff at nearly 9,000 schools, then defaced login screens at Harvard, Princeton, Penn, Duke, and dozens of other campuses during finals week. The breach targeted Instructure, the company behind the Canvas learning platform used by more than 30 million people every day. The same extortion crew, ShinyHunters, had already hit Instructure once before. They warned the company they would be back. They were.

Canvas is back online as of Friday, May 8. The fallout is not. Instructure took its Free-For-Teacher accounts dark to kill the entry point, the FBI is coordinating with affected districts, and security teams are bracing for the next wave: targeted phishing emails crafted from the stolen rosters of who teaches what and who sits in which class.

The Numbers Behind the Largest Edtech Breach on Record

The headline figures are staggering, and they are the hackers’ figures, not Instructure’s. ShinyHunters claims to have exfiltrated 3.65 terabytes of records covering 275 million individuals across 8,809 schools, including private message threads they describe as numbering in the billions. Instructure has confirmed the categories of data accessed but has not validated the volume.

  • 275 million students, teachers, and staff potentially exposed, per the ShinyHunters leak post.
  • 8,809 institutions named on the dark-web listing, spanning the U.S., U.K., Australia, New Zealand, the Netherlands, and Sweden.
  • 30 million daily Canvas users globally and more than 8,000 paying institutional customers.
  • $0 in confirmed ransom paid so far, with a deadline ShinyHunters set for May 12.

Instructure’s own Instructure security update page confirms exposed data includes names, email addresses, student ID numbers, and Canvas Inbox and Discussion messages. The company says passwords, dates of birth, government identifiers, and financial information were not stolen.

Cracked padlock on glowing graduation cap symbolizing Canvas school data breach exposure.
Cracked padlock on glowing graduation cap symbolizing Canvas school data breach exposure.

Timeline: Nine Days That Broke a Vendor’s Credibility

Instructure’s chief information security officer Steve Proud told customers the situation was “contained” on May 2. Five days later, the same attackers proved otherwise by changing the page every Canvas user saw at login. The sequence is now public record.

  1. April 29 – Instructure detects unauthorized activity in Canvas.
  2. May 1 – CISO Steve Proud notifies customers of “a cybersecurity incident perpetrated by a criminal threat actor.”
  3. May 2 – Proud declares the incident “contained”; data classes accessed are disclosed.
  4. May 3 – ShinyHunters posts the breach on its leak site, demands Instructure make contact.
  5. May 7 – Login pages at Harvard, Princeton, Duke, Penn, OU, Wisconsin, Georgetown, and others are replaced with a ransom message; Instructure pulls Canvas offline.
  6. May 8 – Canvas returns. Free-For-Teacher accounts stay shut.

The defacement message did not mince words. “ShinyHunters has breached Instructure (again),” the post on the login pages read. “Instead of contacting us to resolve it they ignored us and did some ‘security patches.'”

Nearly 9,000 schools worldwide affected. 275 million individuals data ranging from students, teachers, and other staff containing PII. Several billions of private messages among students and teachers and students and other students involved. Pay or Leak.

That message, posted to the ShinyHunters leak site on May 3, is the clearest summary of what the attackers say they have. TechCrunch’s reporting on the May 7 defacement notes the hackers injected an HTML file that swapped the login screen for the ransom note, a low-effort move that worked across hundreds of campuses simultaneously.

The Free-For-Teacher Door That Was Never Closed

Instructure runs a free version of Canvas called Canvas Free-for-Teacher that any educator can sign up for without an institutional contract. That product, by Instructure’s own admission, is the way ShinyHunters got in twice. The first time the company patched what it could see. The second time the attackers walked back through what was left.

An Instructure spokesperson told Dark Reading the company “confirmed that the unauthorized actor exploited an issue related to our Free-For-Teacher accounts” and that this was “the same issue that led to the unauthorized access the prior week.” The exact technical flaw — whether an authentication bypass, a privilege escalation, or an insecure direct object reference — has not been disclosed.

So Instructure did the only thing it could do quickly. It pulled the free product entirely. The paid Canvas instances are back. The free tier that millions of independent teachers used to host coursework is gone with no public restoration date.

This Is the Same Crew That Hit Salesforce and Snowflake

ShinyHunters is not new. Active since 2020, the group has built a playbook other extortion crews now copy: voice phishing a help-desk worker into resetting credentials, abusing OAuth tokens to walk into cloud platforms, then exfiltrating in under an hour and posting a deadline. Google’s Mandiant unit has tracked the same fingerprints across the 2024 Snowflake campaign and the 2025 Salesforce campaign that compromised more than 1,000 organizations.

Researchers at Push Security’s analysis of the Instructure intrusion link the initial access at Instructure to social engineering against the company’s own Salesforce instance — the same tactic the group ran against ADT in April 2026, which exposed 5.5 million customer records through a single voice-phished Okta login.

The September 2025 Warning Shot Nobody Acted On

ShinyHunters compromised Instructure’s Salesforce environment in September 2025. At the time, Instructure said no Canvas product data was accessed and described the exposed information as public business contact details. The company patched, moved on, and did not publicly link that intrusion to a broader threat campaign.

That was eight months ago. The same group came back. “Instructure didn’t fix all the vulnerabilities,” the May 7 defacement message read. “We have more.”

Canvas vs PowerSchool: A Pattern, Not a One-Off

The Canvas hack is the second catastrophic breach of a major U.S. edtech vendor in 17 months. PowerSchool, used by roughly 80% of North American school districts, was hit in late 2024 by a 19-year-old college freshman named Matthew Lane. The two incidents look different on the surface and identical underneath.

IncidentPowerSchool (Dec 2024)Canvas / Instructure (April-May 2026)
Records exposed~62.4 million students and teachers~275 million claimed
Sensitive data stolenSSNs, DOBs, addresses, medical notesNames, emails, IDs, private messages
Initial accessStolen contractor credentialsFree-For-Teacher exploit + Salesforce vishing
Ransom paid$2.85M in bitcoinNone confirmed
OutcomeDistricts re-extorted after paymentDefacement, public extortion, ongoing

PowerSchool paid. Lane and his associates kept extorting individual school boards anyway, with Canadian and North Carolina districts receiving threats as recently as May 2025. Lane was sentenced in March 2026 to four years in federal prison and ordered to pay $14.1 million in restitution per the Justice Department’s sentencing announcement. The lesson Instructure now faces in real time: paying does not necessarily end the attack.

What Was Actually Stolen and Why That Still Matters

Instructure has been precise about what is and is not in the dataset. The distinction matters because most identity-theft monitoring assumes Social Security numbers and dates of birth are the crown jewels. Here, they are not.

Confirmed exposed:

  • Full names tied to specific schools and courses
  • Email addresses, both school-issued and personal
  • Student ID numbers
  • The full text of Canvas Inbox messages and Discussion posts, which often contain phone numbers, home addresses, family details, mental-health disclosures, and private conversations between minors and teachers

Confirmed not exposed:

  • Passwords
  • Dates of birth
  • Social Security numbers or other government identifiers
  • Financial or payment data

The message archive is the part security researchers find most alarming. A phishing email that names your actual professor, references your actual section number, and mentions a topic from a real Discussion thread you posted in last week is almost impossible for a college freshman to recognize as fake. CISA’s phishing guidance for institutions calls this “contextual phishing” and ranks it as the leading entry point for follow-on attacks.

The Federal Safety Net That Used to Catch This

One detail buried under the breach coverage: the federal programs designed to help K-12 districts respond to exactly this kind of vendor compromise no longer exist. The Trump administration in 2025 shuttered the U.S. Department of Education’s Office of Educational Technology and discontinued K-12 cybersecurity programs offered through the Multi-State Information Sharing and Analysis Center. The K-12 Cybersecurity Government Coordinating Council, established in 2024, was paused in spring 2025.

That leaves districts on their own to contact the FBI, hire forensic firms, and notify families. Wealthy districts can afford it. The 12% of districts that allocate zero dollars to cybersecurity, per industry surveys, cannot.

“It’s making it harder for schools, effectively, because they’ve not only got to worry about their own systems, but they’ve also got to worry about the third-party systems that they’re employing,” said Rebecca Moody, head of data research at Comparitech, in a May 2026 K-12 Dive interview on the latest Comparitech 2025 education ransomware roundup.

What Students, Parents, and Teachers Should Do This Week

The phishing wave starts now and runs for months. Instructure can’t stop it. Schools can’t stop it. The only real defense is individual skepticism, and there are concrete steps that take less than 30 minutes.

  1. Change your Canvas password and turn on multi-factor authentication. Use a different password than any other account. Do this from a device you trust.
  2. Treat every Canvas-branded email as suspicious for the next 90 days. Do not click links inside the message. Type your school’s URL into the browser yourself, or use a saved bookmark.
  3. Place a free credit freeze for college students and minor children at Equifax, Experian, and TransUnion. Child identity theft can hide for years before discovery.
  4. Verify any urgent message claiming to be from a professor or administrator through a second channel — a text to their published number, a visit to office hours, an in-person check.
  5. Ignore extortion emails claiming the sender has your data. The FBI confirmed scammers are mass-mailing these to anyone whose address appeared in the dump. Do not pay. Do not reply. Report to the FTC’s official fraud reporting portal at ReportFraud.ftc.gov.

Frequently Asked Questions

How do I know if my school was actually affected by the Canvas breach?

Contact your campus IT help desk or check your school’s official communications page. Do not trust unofficial “affected schools” lists circulating on social media — many are inaccurate and some are themselves phishing lures. ShinyHunters listed 8,809 institutions, but Instructure has not yet released a verified, school-by-school confirmation. Watch your school email for an official notice; legitimate notifications will come from your institution’s own domain, not from @canvas-update.com or similar lookalikes.

Will my Canvas password still work, or do I need to reset it?

Your password still works because Instructure confirmed passwords were not stolen. Reset it anyway. The reasoning is simple: if you reused that password on another site, and that other site is later breached, attackers can correlate emails from the Canvas dump with passwords from elsewhere. Use a password manager to generate something long and unique, then turn on multi-factor authentication in your Canvas account settings under Security.

Is it safe to use Canvas right now for finals?

Yes. Instructure brought paid Canvas instances back online May 8 after revoking privileged credentials, rotating keys, and shutting down the Free-For-Teacher product the attackers used as their entry point. Several universities including the University of Illinois extended assignment deadlines and rescheduled exams during the outage. Check your school’s announcements for any specific finals adjustments before assuming your original schedule still holds.

What should parents of K-12 students do specifically?

Place a free credit freeze on your child’s credit file with all three bureaus, even if your district has not confirmed exposure. Children’s credit files are rarely monitored, which makes minors prime targets for synthetic identity fraud that surfaces years later. Talk to your child about ignoring any unexpected emails or texts that mention their teacher or class, and tell them to forward suspicious messages to you before clicking anything.

Should I expect free credit monitoring from Instructure or my school?

Probably not, because the stolen data does not include Social Security numbers or financial information that traditional credit monitoring tracks. Instructure has not announced a credit-monitoring offer as of publication. The bigger risk here is targeted phishing, not credit fraud. Spend the time you would put toward enrolling in monitoring on setting up multi-factor authentication and a password manager instead.

Why did this happen twice in eight months to the same company?

ShinyHunters first breached Instructure in September 2025 through its Salesforce instance, the same playbook the group used against more than 1,000 other companies. Instructure patched what it found and did not publicly disclose the link to a broader threat campaign. The April 2026 intrusion exploited a different weakness in the Free-For-Teacher product. The same crew, two different doors, eight months apart — a pattern security researchers call insufficient root-cause analysis.

Canvas is running again, and most students will finish their finals on roughly their original schedules. The harder problem will surface in the fall semester, when the first wave of contextually accurate phishing emails arrives in inboxes belonging to people whose course rosters and private messages now sit on a criminal forum somewhere. The breach was the news this week. The cleanup is going to take years.

Disclaimer: This article reports on a publicly disclosed cybersecurity incident and provides general guidance on consumer protective steps. It does not constitute personalized security, legal, or financial advice. Affected individuals should consult their institution’s IT and security teams for specific remediation guidance and a licensed financial advisor before making decisions about credit freezes or identity-protection services. Information regarding the scope of the breach and Instructure’s response reflects publicly available reporting as of May 9, 2026, and may change as the investigation continues.