Instructure Data Breach Exposes Student Records Across 9,000 Schools

Instructure, the company behind Canvas LMS, has confirmed a data breach that exposed personal information belonging to users across thousands of educational institutions worldwide. The Instructure data breach, disclosed on May 1, 2026, affected names, email addresses, student ID numbers, and private messages between users. The extortion group ShinyHunters has since claimed responsibility, alleging a scale that, if confirmed, would place this among the largest education sector breaches on record.

What Was Accessed

Instructure confirmed that the attack was carried out by a criminal threat actor and that outside forensics experts were brought in immediately to investigate. By May 2, the company had contained the incident and issued an update confirming that user data was involved.

The exposed information includes names, email addresses, student ID numbers, and messages exchanged between users. Instructure stated it has found no evidence that passwords, dates of birth, government identifiers, or financial information were compromised. In response, the company revoked privileged credentials, rotated application keys, deployed security patches,and expanded monitoring across its systems. Customers are required to reauthorize access to Instructure's API to receive new application keys.

Canvas Data 2 and Canvas Beta environments were placed under maintenance from May 1, causing disruption to tools that rely on API keys. Access to Canvas Data 2 was restored by May 3.

ShinyHunters Claims a Massive Haul

On May 3, ShinyHunters listed Instructure on its Tor-based data leak site. The group claims to hold over 3.65 terabytes of uncompressed data and alleges that the breach affected nearly 9,000 educational institutions worldwide. Their posting puts the number of affected individuals at 275 million, students, teachers, and staff, along with billions of private messages. The group also claims Instructure's Salesforce instance was compromised as part of the attack.

ShinyHunters issued a ransom deadline of May 6, 2026, threatening a full public leak if Instructure fails to respond. Instructure has not publicly addressed the extortion claims or confirmed the figures the group has put forward. The gap between the company's confirmed disclosure and ShinyHunters' assertions remains significant and has not been independently verified.

A Second Breach in Under a Year

This is not Instructure's first encounter with ShinyHunters. In September 2025, the company disclosed a separate incident in which a social engineering attack gave attackers access to its Salesforce instance. At the time, Instructure stated that no Canvas product data was accessed and that the exposed information was largely publicly available business contact data. ShinyHunters claimed responsibility for that incident as well, listing Instructure on its leak site before the company had completed its investigation.

Two confirmed breaches in eight months, involving the same threat actor and, in both cases, Salesforce infrastructure, raises serious questions about whether the remediation steps taken after the first incident were sufficient.

A Pattern Across the Edtech Sector

Instructure's situation reflects a broader and accelerating pattern of attacks against education technology platforms. These companies hold concentrated volumes of sensitive personal data — student records, institutional data, private communications — across millions of users at once.That concentration makes them high-value targets.

In January 2025, PowerSchool disclosed a breach in which a threat actor claimed to have stolen data belonging to 62 million students. That case has since resulted in a $17.25 million settlement and ongoing federal litigation. Infinite Campus has also been listed on ShinyHunters' leak site as part of what appears to be a coordinated campaign targeting edtech platforms through Salesforce environments and social engineering rather than direct network intrusion.

Canvas is used by more than 7,000 universities, K-12 districts, and education ministries globally. The platform's reach means a confirmed breach at this scale would carry regulatory consequences across multiple frameworks. Student data is protected under FERPA in the United States, and the updated COPPA rule, which took effect April 22, 2026, tightens consent and breach notification requirements for data belonging to children under 13. State-level student privacy laws add a further layer of obligation across roughly 130 statutes.

What Institutions Should Do Now

Schools and universities running Canvas should treat this as an active situation until Instructure provides a full post-incident disclosure. Rotating API keys and reauthorizing integrations, as Instructure has directed, is an immediate priority. But institutions should also audit what data flows exist between Canvas and third-party platforms, particularly Salesforce-connected environments.

The Instructure data breach underscores a vulnerability that extends beyond any single vendor: edtech platforms often sit at the center of sprawling integration ecosystems, and a compromise at the platform level can propagate across every connected system. Organizations with FERPA or COPPA obligations should document their response steps now, before regulators ask.