Canvas got breached. Again.
Instructure, the company behind the Canvas learning management system used by roughly 7,000 universities and a growing slice of K-12 districts nationwide, confirmed a data breach this weekend. The extortion group ShinyHunters claims they took 3.65 terabytes of data covering 275 million students, teachers, and staff across nearly 9,000 schools, plus billions of private messages. Instructure has confirmed the breach but not the scale. Most outlets are leading with the line that no passwords were stolen. That framing is doing a lot of misleading work.
Here's the timeline, from Instructure's own status page. April 30, "limited disruption to tools relying on API keys." May 1, CISO Steve Proud publicly confirmed a "cybersecurity incident perpetrated by a criminal threat actor." May 2, contained. May 3, ShinyHunters listed Instructure on their leak site (the public extortion page criminals use to pressure victims) with sample data that DataBreaches.net reports appears to confirm the claim. One sample file alone listed more than 7,700 institutions.
What Instructure says was taken: names, institutional email addresses, student ID numbers, and the contents of messages between Canvas users. What Instructure says was not taken: passwords, dates of birth, government identifiers, financial information.
The second list is the consolation prize. The first list is the prize.
This is the second confirmed Canvas breach in eight months. September 2025 hit Instructure's Salesforce instance, also attributed to ShinyHunters. PowerSchool lost data on roughly 62 million students in January 2025 and settled for $17.25 million. Infinite Campus disclosed a Salesforce-related theft in March 2026. The vendors are different. The pattern is not. One SaaS company holding records on tens of millions of students across thousands of districts gets compromised, and every one of those districts inherits the breach simultaneously.
Here's what this means. A list of real names paired with verified institutional email addresses is not "metadata." It's the input that turns a generic phishing email into one that names your kid's actual professor, the actual class, and the assignment that was actually submitted last week. The breach itself is over. The phishing wave it enables is what most of us will actually have to navigate. Plan on a 60 to 90 day window of "your Canvas access expired" emails and fake "new message from your professor" prompts. The first one is easy to spot. The thread reply that lands 48 hours later, in the same conversational tone, with the right names attached, is the one that gets people. That is the part "no passwords" is hiding. I would rather a school district told me "this is what's coming" than "your password is safe."
What to do this week:
Treat any "Canvas" email as suspicious through summer. Verify by typing canvas.yourschool.edu directly into the browser. Don't click email links.
Rotate the password Canvas signs in with. Even if Instructure says it wasn't taken. Ninety seconds.
Turn on a hardware key or passkey if your school offers it. Phishing-resistant MFA (multi-factor authentication that doesn't break under a real-time relay attack) is the only category that survives this kind of campaign.
Parents of K-12 kids: ask your district when breach notification is coming. The updated COPPA rule that took effect April 22 tightened the clock.
School IT admins: rotate every Canvas API key on your tenant. Instructure rotated theirs. Yours are yours.
Instructure's own response was actually fast: containment in about 36 hours, transparent CISO updates, application keys rotated. The problem isn't this vendor. It's that one company holding 275 million people's records means a very bad day cascades across 9,000 schools at once.
Source: BleepingComputer, "Instructure confirms data breach, ShinyHunters claims attack," May 3, 2026. https://www.bleepingcomputer.com/news/security/instructure-confirms-data-breach-shinyhunters-claims-attack/
Background: BleepingComputer, "Edu tech firm Instructure discloses cyber incident, probes impact," May 1, 2026. https://www.bleepingcomputer.com/news/security/edu-tech-firm-instructure-discloses-cyber-incident-probes-impact/