Instructure (Canvas LMS) Data Breach Investigation: Universities, School Districts and Students

 Chimicles Schwartz Kriner & Donaldson-Smith is investigating potential class action claims on behalf of universities, colleges, K-12 school districts, and the students, parents and educators who rely on the Canvas learning management system operated by Instructure. A recent cyberattack may have compromised the sensitive personal information of millions of students at educational institutions across the country and worldwide.

Canvas is used by approximately 41% of higher education institutions in North America and by millions of K-12 students. In some states, Canvas serves as the standard learning management system across all public schools. The scope of this breach is unprecedented in the education technology space.

What Happened?

Instructure reports that it first detected service disruptions affecting tools relying on API keys on April 30, 2026, and by May 1, 2026, confirmed that the incident was the result of a criminal cyberattack. The company engaged outside forensic cybersecurity experts and law enforcement to investigate the scope and impact of the breach.

The ShinyHunters extortion group claimed responsibility for the attack on May 3, 2026, alleging the theft of more than 3.65 terabytes of data tied to approximately 275 million individuals across nearly 9,000 schools, universities, and other educational institutions. ShinyHunters stated the data was stolen by exploiting a vulnerability in Instructure’s systems, which has since been patched. The group has threatened to release the stolen data, including what it described as several billions of private messages among students and teachers, if its demands are not met by May 12, 2026.

Instructure reports that the data breached includes Names; Email addresses; Student ID numbers; and Private messages exchanged between users on the Canvas platform.

ShinyHunters has alleged that additional data was compromised with the investigation ongoing.

Canvas was experiencing a global outage in response to the breach but users were referred only to Instructure’s official page for updates. This is especially unnerving and tumultuous for educators and students during this end-of-school-year period with many exams already in full swing.

Why Is This Especially Concerning?

Canvas is far more than a homework portal. Students and educators use the platform’s messaging features to communicate about deeply sensitive matters, including potentially about medical conditions, mental health disclosures to academic advisers, requests for disability accommodations, and communications with Title IX advocates. The exposure of these private messages creates risks that go well beyond typical data breach scenarios.

With names, institutional email addresses, student ID numbers, and private messages now potentially in the hands of criminals, there is a heightened risk of targeted phishing, identity theft, impersonation, and social engineering attacks designed to look like legitimate communications from school administrators, professors, teachers, or classmates.

Universities, colleges, and school districts also face institutional risks related to compliance under federal law (FERPA), reputational harm, and the obligation to notify affected students, families, and employees.

Who May Be Affected

Any current or former students (including minors in K-12 settings), teachers, professors, instructors, or administrative staff at a university, college, or school district that uses, or used, Canvas may be affected by this data breach.

What Should You Do?

If you believe your information may have been affected by this breach, please contact our data breach attorneys directly by completing the form below to learn more about your potential legal rights and our ongoing investigation.