Canvas Breach Exposes 275M Records, Ransom Paid

The platform that runs final exams for thousands of schools became the center of what researchers are calling the largest education-sector breach on record. The extortion group ShinyHunters claimed it stole personal data tied to 275 million people from Instructure's Canvas system, and the company reportedly paid a ransom that included a clause requiring the attackers to destroy the stolen files. If your school uses Canvas, you should assume your data was in scope and act accordingly.

Key takeaways

• ShinyHunters claimed to have stolen roughly 275 million records and 3.65 terabytes of data from Instructure's Canvas platform.
• The group shared a list of 8,809 affected school districts, universities, and online education providers.
• Exposed data reportedly included names, email addresses, student IDs, and course information.
• The attack exploited a vulnerability in Instructure's production systems that the company says has since been patched.
• Instructure reportedly reached a settlement that included a "shred logs" clause requiring attackers to destroy the data.

What happened

Instructure's chief information security officer notified customers on May 1 that the company had experienced a cybersecurity incident carried out by a criminal threat actor. The intrusion exploited a vulnerability in Instructure's production systems, which the company says it has since patched. ShinyHunters, a prolific extortion group behind a string of 2026 breaches, claimed responsibility and put a staggering figure on its haul: data on more than 275 million individuals, totaling about 3.65 terabytes, including what it described as billions of private messages.

The attackers shared a list of 8,809 school districts, universities, and online education platforms they claimed were affected, with per-institution counts ranging from tens of thousands to several million records. Exposed fields reportedly included names, email addresses, student IDs, and course information. The timing was brutal: the disruption hit during finals week at many institutions, leaving some students locked out of coursework.

Here are the core figures at a glance:

Detail	Reported figure
Records claimed stolen	~275 million individuals
Data volume	~3.65 terabytes
Institutions named	8,809 districts, universities, providers
Data exposed	Names, emails, student IDs, course info, messages
Disclosure date	CISO notified customers May 1, 2026
Resolution	Reported ransom payment with "shred logs" clause

Why it matters

The breach exposes a structural risk: education has consolidated onto a small number of cloud vendors, so a single compromised provider can put hundreds of millions of records at risk simultaneously. This is the same concentration problem that turns one company's bad day into everyone's, a pattern we have written about in the context of infrastructure outages.

The reported resolution is also controversial. Instructure is said to have settled with ShinyHunters, agreeing to a ransom that included a "shred logs" clause obligating the attackers to delete the stolen data. Security professionals widely distrust such promises, since there is no way to verify a criminal group has actually destroyed copies. For affected individuals, the practical risk, including targeted phishing, persists regardless of any settlement. If you may be caught up in this, our guides on checking whether your data was breached and defending against AI-driven phishing walk through concrete steps.

What is next

For institutions and individuals, the response is more important than the headline:

1. Confirm exposure. Schools should determine whether their Canvas instance is on the affected list and notify their communities.
2. Reset and monitor. Users should change passwords, enable multifactor authentication, and watch for phishing referencing their school.
3. Vendor scrutiny. Districts are reassessing how much sensitive data sits with single cloud providers and what contractual protections exist.
4. Regulatory follow-up. Expect breach-notification obligations and possible investigations given the record scale.

What to do tonight

If you, your child, or your students use Canvas, do not wait for an official notice:

• Change your Canvas password and your school email password, using something unique to each.
• Turn on multifactor authentication on your school account and any account that reused the same password.
• Assume phishing is coming. Treat any message referencing your school, grades, or a "Canvas login" as suspicious; never click the link, go to the site directly.
• Check exposure with a service like Have I Been Pwned once breach data is indexed.
• Warn the family. Younger students are prime targets for school-themed phishing and may not recognize it.

Frequently asked questions

How many people were affected by the Canvas breach?

ShinyHunters claimed to have stolen data on roughly 275 million individuals across 8,809 educational institutions, making it the largest known education-sector breach. Instructure has confirmed a cybersecurity incident affecting its cloud environment.

What data was stolen?

Reported data includes names, email addresses, student IDs, and course information, along with what the attackers described as billions of private messages, totaling about 3.65 terabytes.

Did Instructure pay a ransom?

Reports indicate Instructure reached a settlement with the attackers that included a clause requiring them to destroy the stolen data. Security experts caution that such promises cannot be verified.

What should affected users do?

Change your Canvas and email passwords, turn on multifactor authentication, and be alert for phishing messages that reference your school or coursework. Treat any unexpected request for credentials as suspicious.

A patched vulnerability and a paid ransom do not put 275 million records back in the box. The lasting takeaway is about concentration: when one vendor holds the data of nearly every school, its security failures become everyone's problem.