Canvas, one of the most widely used learning management systems in the world, suffered a cyberattack that has potentially exposed the personal data of millions of students, teachers, and staff across more than 9,000 educational institutions in at least 10 countries. The attack was carried out by ShinyHunters, a criminal extortion group with a documented history of large-scale data theft, and its scope continues to expand as affected institutions assess their exposure.
Instructure, the Utah-based company that owns Canvas, confirmed the breach publicly after the attack was first detected on April 30, 2026. By May 1, the company had confirmed a criminal intrusion was underway and brought in outside forensics experts to investigate. The incident has since drawn attention across the United States, Australia, the United Kingdom, Sweden, and beyond.
What was taken and what was not
Instructure confirmed that the data accessed during the breach includes names, email addresses, student ID numbers, and private messages sent through the Canvas platform. The company says there is currently no evidence that passwords, dates of birth, financial information, or government identifiers such as social security numbers were compromised.
ShinyHunters has claimed responsibility on its dark web channel, asserting it obtained 3.65 terabytes of data covering an estimated 275 million individuals, including students, teachers, and other staff, along with several billion private messages exchanged on the platform. The group has threatened to release the data publicly unless Instructure pays an undisclosed ransom. As of publication, the stolen data had not been made available.
Katy Challis, Director of Privacy at the Utah State Board of Education, told local media that the risk of identity fraud from this particular breach is lower than it would be if more sensitive data elements had been involved. She acknowledged, however, that having personal information held by an unknown third party is unsettling regardless of the technical risk level, and said phishing scams represent the most immediate concern for affected users.
Elite universities named in the breach
To increase pressure on Instructure, ShinyHunters released a list of more than 8,800 affected institutions across 10 countries. Among those named are Harvard University, the University of Oxford, and MIT, placing some of the world’s most prominent academic institutions among those potentially affected by the breach.
Canvas is used broadly across higher education in addition to K-12 schools, making the platform an especially attractive target for a group seeking maximum leverage. The list also includes institutions across Australia, where the Queensland government confirmed that tens of thousands of students and staff who used Canvas through its QLearn platform since 2020 are likely affected. Victoria University of Wellington, Auckland University of Technology, and the University of Auckland have all confirmed they are investigating potential impacts on their communities.
How the attack fits a larger pattern
The Canvas breach is the latest in a series of high-profile cyberattacks targeting education technology vendors rather than individual schools. In 2024, PowerSchool suffered a breach affecting an estimated 62 million students globally. The strategic logic behind these attacks is straightforward: compromising a single widely used platform produces a far larger dataset than attacking individual institutions one at a time.
The education sector has become one of the most frequently targeted industries for this reason. The combination of large shared platforms, sensitive personal data, and institutional reliance on third-party vendors creates conditions that criminal groups have learned to exploit systematically.
What users and institutions should do
For individuals with Canvas accounts, the most immediate action is heightened vigilance around phishing attempts. Emails appearing to come from Canvas, Instructure, or affiliated schools asking users to verify account information or click unfamiliar links should be treated with caution. Going directly to official websites rather than following email links is the safest approach.
Changing Canvas passwords is advisable as a precautionary step, even though passwords are not believed to have been part of the stolen data. Users who reuse the same password across multiple platforms have additional reason to update their credentials broadly.
For institutions, the breach is a prompt to review vendor data agreements, confirm what personal information third-party platforms hold on students and staff, and ensure that incident response protocols are documented and current. Instructure has said it is contacting affected institutions directly, and affected schools in Utah have been told that parent notifications will follow once the full scope of the incident is better understood.
