Instructure (Canvas LMS) Data Breach Investigation

Chimicles Schwartz Kriner & Donaldson-Smith is investigating potential class action claims against Instructure, the education technology company behind the widely used Canvas learning management system, in connection with a cyberattack and related data breach that may have compromised sensitive personal information of students, teachers, and staff at educational institutions worldwide.

According to Instructure and public reporting, the ShinyHunters extortion group has claimed responsibility for the incident, alleging that data tied to approximately 275 million individuals across nearly 9,000 schools, universities, and other institutions was stolen.

What Happened at Instructure?

Instructure reports that it first detected service disruptions affecting tools relying on API keys on April 30, 2026, and by May 1, 2026, confirmed that the incident was perpetrated by a criminal threat actor. The company engaged outside forensic cybersecurity experts and law enforcement to investigate the scope and impact of the breach.

The forensic investigation determined that an unauthorized third party accessed Instructure’s systems and viewed or acquired certain user data.

On May 3, 2026, the ShinyHunters extortion group listed Instructure on its data leak site, claiming responsibility for the attack and alleging the theft of more than 3.65 terabytes of data. ShinyHunters stated that the data was stolen by exploiting a vulnerability in Instructure’s systems, which has since been patched.

Public reporting notes that this is Instructure’s second confirmed breach in approximately eight months. In September 2025, the same group exploited a social engineering attack against the company’s Salesforce environment, raising serious questions about whether remediation efforts following the first breach were sufficient.

As part of its response, Instructure reports that it revoked privileged credentials and access tokens, deployed security patches, rotated application keys, and implemented increased monitoring across all platforms. Customers were required to re-authorize access to Instructure’s API for new application keys to be issued.

What Information Was Compromised?

Instructure reports that, based on its investigation to date, the affected data may have included the following categories of information:

Instructure states that, at this time, it has found no evidence that passwords, dates of birth, government identifiers, or financial information were involved. However, ShinyHunters has alleged that additional data was compromised, including information from Instructure’s Salesforce instance, and the investigation remains ongoing.

Why Is This Important?

Data breaches involving student and educator information can create serious risks of targeted phishing, identity theft, impersonation, and social engineering attacks. With names, institutional email addresses, student ID numbers, and private messages in the wrong hands, attackers can craft highly convincing scams that appear to come from a school administrator, teacher, or classmate.

What Should You Do?

If you are a student, parent, teacher, or staff member at an institution that uses Canvas by Instructure, or if you believe your information may have been affected by this breach, you may contact our data breach attorneys by completing the form below to learn more about your potential legal rights and our ongoing investigation.