Hacking group ShinyHunters stole 3.65 terabytes of data from Instructure’s Canvas platform — the learning management system used by 41% of North American colleges and roughly 9,000 schools worldwide. The stolen haul includes names, email addresses, student IDs, course records, and billions of private messages between students and teachers. Instructure paid the ransom. The company says the hackers destroyed the data. There is no way to verify that.
The breach hit during finals week in early May, compounding the damage. Students at institutions from Duke to Rutgers found themselves locked out of exam submissions, course materials, and assignment portals while Instructure scrambled to contain the attack.
What Happened
The timeline makes this worse than a single breach. ShinyHunters had already compromised Instructure’s separate Salesforce environment in September 2025 through a social-engineering attack. The Canvas breach itself began when the group exploited a production-system vulnerability — Instructure detected unauthorised activity around April 29–30, 2026, notified customers on May 1, and initially described the incident as “contained.”
It wasn’t. ShinyHunters posted a ransom demand on May 3 with a May 6 deadline. Instructure declared the situation “resolved” on May 6. The next day, the hackers defaced Canvas login pages at hundreds of schools and issued a new deadline: May 12.
On May 11, Instructure reached an agreement — widely reported as a ransom payment, though the company has never disclosed the amount — and announced the hackers had provided “digital confirmation of data destruction (shred logs).”
CEO Steve Daly acknowledged the company “got the balance wrong” between investigating the breach and communicating with schools and students. That’s an understatement. For over a week, tens of millions of active users and thousands of institutions were left guessing about the safety of their data while Instructure issued vague reassurances that turned out to be premature.
Why the Private Messages Matter
A leak of names and email addresses is bad. A leak of billions of private messages between students and faculty is something qualitatively different.
Canvas messages routinely contain disability accommodations, mental health discussions, grade disputes, family emergencies, financial hardship explanations, and other deeply personal information that students shared expecting confidentiality. This isn’t metadata — it’s the substance of private conversations between people in positions of trust.
Legal analysts at Reed Smith noted that the inclusion of private messages makes this “qualitatively different from a typical email-and-name data leak.” Students who disclosed sensitive personal circumstances to their professors now have to wonder whether those conversations are sitting on a hacker’s server somewhere, ransom payment or not.
Paying Ransoms Doesn’t Delete Data
Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, warned that paying a ransom “can create a dangerous feedback loop where attackers are effectively rewarded for successful breaches” and “reinforces the economic incentive structure behind cyber extortion.” The fundamental problem is straightforward: digital data can be copied instantly and endlessly. A promise to destroy it is worth nothing.
ShinyHunters is not a new operation. The group has a track record of major breaches and data sales on dark web marketplaces. Taking their word that 3.65 terabytes of valuable data was deleted — data they’d already demonstrated the ability to exploit — requires a level of trust that no security professional would extend.
Instructure’s decision to pay may have been the least bad option in the moment. But for the 275 million people whose records were stolen, it changes nothing. The data was copied, exfiltrated, and held by criminals. Whether it was subsequently deleted is unknowable.
Schools Have Their Own Obligations
Instructure’s settlement with ShinyHunters doesn’t resolve the legal exposure for schools. Under the Family Educational Rights and Privacy Act (FERPA), educational institutions have independent notification obligations when student records are compromised. State data breach notification laws add further requirements.
Schools can’t outsource their data protection responsibilities to a vendor, and a vendor’s settlement with hackers doesn’t satisfy a school’s duty to its students. Institutions using Canvas need to independently assess what was exposed, notify affected individuals, and review their vendor contracts.
Class action attorneys are already investigating. The scale — nearly 9,000 institutions, 275 million individuals — makes this one of the largest education data breaches in history.
The Centralisation Problem
Canvas controls 41% of the North American higher education LMS market. When one platform holds the academic records, private communications, and personal data of hundreds of millions of students across thousands of institutions, a single breach becomes a systemic crisis.
This is the same centralisation risk that plays out across Big Tech cloud services. When everyone depends on the same platform, everyone falls at once. The Canvas breach didn’t just expose data — it disrupted exams, locked students out of coursework, and forced schools into crisis management mode during their most critical assessment period.
Decentralised, self-hosted alternatives exist for learning management. Moodle, the open-source LMS, can be hosted on institutional infrastructure or privacy-respecting cloud providers where schools retain full control over their data. It’s used by more than 500 million users across registered Moodle sites worldwide. The trade-off is that institutions must invest in their own infrastructure and IT capacity — but in exchange, a single vendor compromise doesn’t cascade across the entire sector.
What to Do Now
If you or your children used Canvas at any point, assume your data was included:
- Treat every school-related email as suspect. Attackers now have email addresses, student IDs, and potentially enough context from private messages to craft convincing scams. Be sceptical of anything referencing your institution, coursework, or financial aid.
- Change reused passwords. Instructure says credentials weren’t taken, but if you used your Canvas password anywhere else, change it there now.
- Turn on two-factor authentication everywhere it’s offered — starting with email and financial accounts.
- If you run an institution still using Canvas, ask where student data is stored, who can access it, and what your FERPA notification plan is. Don’t wait for the vendor’s press release to define your obligations.
Why This Matters
If you’ve ever used Canvas as a student or educator, your data was likely part of this breach. That includes every private message you sent through the platform. Instructure says passwords and financial data weren’t taken, but the personal information that was stolen — names, emails, student IDs, and private communications — is more than enough to fuel targeted phishing and identity fraud for years.
Watch for phishing emails that reference your school, courses, or professors by name. Enable two-factor authentication everywhere. And if you’re at an institution still deciding how to communicate this to students: be direct, be specific about what was taken, and don’t hide behind your vendor’s press releases.
The broader lesson is one that keeps repeating: when you hand your data to a centralised platform, you’re trusting that platform with everything. Canvas held billions of private messages because that’s how the system was designed — all communications flowing through a single corporate infrastructure. The students who sent those messages had no choice in the matter. Their schools chose Canvas, and Canvas chose to store everything in one place.
That’s a decision worth questioning — in education, in cloud services, and everywhere else.