Canvas Hack Exposed 275M Student Records (May 2026)

During the first week of May 2026 — right in the middle of finals — the hacking group ShinyHunters breached Instructure's Canvas learning management system and walked away with 3.65 terabytes of data. The haul spans 9,000 schools and an estimated 275 million students, teachers, and staff, making it one of the largest education data breaches in history. Here is what happened, what was exposed, and what you should do right now.

What Happened

Instructure, the company behind Canvas LMS, confirmed that attackers gained unauthorized access to its production systems in early May 2026. Canvas is the dominant learning management system in American education — used by K-12 districts, community colleges, and major universities alike. If your child attends a public school or you are enrolled at a college, there is a strong chance Canvas handles your coursework, grades, and communications.

ShinyHunters did not operate quietly. The group defaced the Canvas login page, replacing it with a message claiming responsibility and announcing a ransom deadline of May 12. For students and teachers trying to submit final exams or post grades, the timing was as disruptive as it was deliberate.

The stolen dataset totals 3.65 terabytes — an enormous volume that suggests the attackers had sustained access, not a quick smash-and-grab. For context, the 2017 Equifax breach that exposed 147 million Americans involved a fraction of this data volume. ShinyHunters is the same group behind the 2024 Ticketmaster breach that hit 560 million users and the AT&T breach that exposed call records for 73 million customers. They know how to monetize stolen data, and education records are no exception.

What Data Was Exposed

Based on available reporting and ShinyHunters' own claims, the breach includes:

• Full names of students, teachers, administrators, and staff
• Email addresses — both institutional (.edu) and personal addresses used for account recovery
• Student IDs and internal identifiers
• School and district affiliations — which institution each person belongs to
• Private messages exchanged between students and teachers through Canvas's messaging system

This is not just a list of names and emails. The combination of school affiliation, student ID, and private message content creates a detailed profile of each affected individual. For minors, this data is particularly sensitive — it reveals where they go to school, who their teachers are, and what they discussed privately within the platform.

Instructure has not yet confirmed whether passwords, Social Security numbers, or financial data were included in the breach. If you are concerned your SSN may have been exposed in this or any other breach, the steps in our guide on what to do when your SSN is found on the dark web apply here as well.

How Breach Data Feeds the Data Broker Pipeline

This is the part most breach coverage misses. A data breach does not end when the headlines fade. The stolen records enter an ecosystem — one where they are combined, repackaged, and sold for years.

Here is how it works. Within days or weeks of a major breach, stolen data appears on dark web marketplaces and private Telegram channels. Buyers purchase bulk datasets and merge them with data from other breaches and public records. Data brokers — the companies that legally buy and sell personal information — end up incorporating this merged data into their own databases, either directly or through intermediaries.

The result is that a student's name and school email from the Canvas breach gets matched with a home address from a public records aggregator, a phone number from a previous breach, and a family tree from a people-search site. Suddenly, a 16-year-old who never gave anyone permission to sell their data has a comprehensive profile available for purchase by anyone with a credit card.

This is not hypothetical. Research from the data broker industry consistently shows that breach data is one of the primary raw materials feeding commercial data aggregation. The larger the breach, the more useful the data becomes because it covers a wider population and can be cross-referenced with more existing records.

Why Students and Minors Are Especially Vulnerable

Adults have at least some awareness of their digital exposure. Students — particularly K-12 students — typically have none. They did not choose to use Canvas. Their school chose it for them. They may not even know what data Canvas collected, let alone that it has been stolen.

Minors face several specific risks after a breach like this:

• Child identity theft: Stolen data for children is more valuable to criminals because it comes with a clean credit history. Fraudsters open credit accounts in children's names that go undetected for years — often until the child applies for their first student loan or credit card
• Targeted phishing: Knowing a student's name, school, and teacher names makes phishing emails far more convincing. An email appearing to come from a teacher or school administrator is much harder to identify as fraudulent
• Long shelf life: A breached email address for a 14-year-old is useful to attackers for decades. The same data for a 60-year-old has a shorter window of exploitation
• Lack of monitoring: Most parents do not monitor their children's credit or digital footprint. Dark web monitoring for minors is almost nonexistent

What You Should Do Right Now

Whether you are a student, parent, teacher, or school administrator affected by the Canvas breach, these steps will reduce your exposure.

1. Change your Canvas password immediately. If you reused that password on any other service — email, banking, social media — change it there too. Use a unique password for each account. A password manager makes this manageable.
2. Enable two-factor authentication. Turn on 2FA for your email account, especially the one associated with Canvas. If attackers have your email address, your email account is their next target because it is the gateway to resetting passwords on every other service you use.
3. Freeze your credit (and your child's). Contact Equifax, Experian, and TransUnion to place a credit freeze. For minors, you can request a freeze even if they have no existing credit file — this prevents anyone from opening accounts in their name. It is free and takes about 15 minutes per bureau.
4. Watch for phishing attempts. Expect sophisticated phishing emails that reference your school, your courses, or Canvas specifically. Any email asking you to "verify your account" or "reset your password" through a link should be treated as suspicious. Go directly to the Canvas website instead of clicking links.
5. Check if your data is already circulating. Use a dark web monitoring service to see if your email addresses and personal details are already appearing in breach databases. The faster you know, the faster you can act.
6. Remove your information from data broker sites. This is the step most people skip — and it matters more than most realize. Data brokers are already holding your name, address, phone number, and family connections. When breach data gets merged with those existing profiles, the combined result is far more dangerous than either dataset alone. Removing your information from brokers breaks that link.

The Case for Proactive Data Removal

You cannot un-breach the Canvas data. It is out there. What you can control is how useful that data is to the people who want to exploit it.

Stolen breach data on its own — a name and a school email — has limited value. It becomes dangerous when it gets combined with the rest of your digital footprint: your home address, phone number, employer, relatives' names, and the dozens of other data points that data brokers hold on virtually every American adult.

Removing your personal information from data broker databases means that even if your Canvas data is sold, bought, and resold, the people buying it cannot easily connect it to the rest of your life. The breach data stays an orphaned fragment instead of becoming a complete identity profile.

GhostVault monitors and removes your data from 500+ data brokers continuously for $3.99 per month. For parents with children affected by this breach, it is one of the most direct steps you can take to limit the long-term damage — not just from this breach, but from every breach that follows.

What Schools Should Be Doing

If you are a school administrator or IT director, the Canvas breach raises serious questions about vendor security and data governance. FERPA requires educational institutions to protect student records, and that obligation extends to third-party platforms like Canvas.

Schools should be communicating clearly with affected families — not just that a breach occurred, but what specific data was exposed and what concrete steps families should take. They should also be reviewing their data sharing agreements with Instructure and evaluating whether Canvas's security posture meets the standard required to handle student data going forward.

For teachers whose personal email addresses or private messages were exposed, the identity theft prevention steps that apply to students apply equally to you.

The Bigger Picture

The Canvas breach is not an isolated incident. Education technology has expanded rapidly over the past several years, and security has not kept pace. Schools adopted digital platforms under pressure — first during the pandemic, then because modern education simply requires them. But the security frameworks protecting that data were built for an era when student records lived in filing cabinets, not cloud databases accessible from anywhere in the world.

275 million records. That is not just a statistic. It is nearly every student and teacher in the United States, plus many internationally. If you have interacted with Canvas in any capacity, assume your data was included and take protective action now. Do not wait for your school's notification letter.

The breach data is already moving through the ecosystem. The window to get ahead of it is now.

Frequently Asked Questions

What data was exposed in the Canvas Instructure breach?

The breach exposed 3.65 terabytes of data including full names, email addresses, student IDs, school affiliations, and private messages between students and teachers. The stolen data spans 9,000 educational institutions and affects an estimated 275 million students, teachers, and staff.

Who hacked Instructure's Canvas LMS?

The hacking group ShinyHunters claimed responsibility for the breach. ShinyHunters is a well-known cybercriminal collective previously linked to breaches at Ticketmaster, AT&T, and other major companies. The group defaced the Canvas login page and set a ransom deadline of May 12, 2026.

How do I know if my data was in the Canvas breach?

If you or your child has used Canvas through any K-12 school, college, or university, your data was likely included. Canvas is used by over 9,000 institutions and serves roughly 275 million users. Your school should notify you directly, but you should not wait for that notification to take protective action.

Can breached student data end up on data broker sites?

Yes. Data from large-scale breaches is routinely aggregated and sold to data brokers, who combine it with public records and other sources to build detailed personal profiles. Student names, emails, and school affiliations from the Canvas breach can be matched with existing broker records to create more comprehensive profiles that are then sold commercially. Learn more about data brokers and how they operate.

What should parents do after the Canvas data breach?

Parents should change their child's passwords on Canvas and any accounts that share the same credentials, enable two-factor authentication wherever possible, freeze their child's credit with all three bureaus, monitor for phishing emails referencing school or Canvas activity, and proactively remove personal information from data broker sites to prevent breach data from being cross-referenced with existing profiles.