275 Million Students' Data Stolen in Massive Canvas Education Platform Breach

If your child's school uses Canvas — and a staggering number do — this is a story you need to read right now. The Instructure-owned learning management platform at the heart of millions of classrooms has suffered a major data breach, and the group responsible is now threatening to publish everything unless schools and administrators pay up.

Here's what happened, who's behind it, and — most importantly — what you and your family should do today.

What Happened?

Instructure, the company behind the widely used Canvas learning management system (LMS), confirmed a cyberattack that resulted in the theft of student data including names, personal email addresses, student ID numbers, and messages sent between teachers and students.

The cybercrime group ShinyHunters claimed responsibility for the attack, saying it stole roughly 275 million records tied to students, teachers, and staff across nearly 8,809 school districts, universities, and online education platforms. Per-institution record counts reportedly range from tens of thousands to several million.

But it didn't stop there.

A Second Attack: Login Pages Defaced

As if the initial breach wasn't alarming enough, TechCrunch reported that hackers defaced the Canvas login pages of multiple schools — injecting HTML to replace normal login screens with a threatening message directly from ShinyHunters. The group is calling this a second, separate breach.

The message warned that if Instructure does not "negotiate a settlement," the full dataset will be published publicly on May 12, 2026.

According to The Verge, the ransom message from ShinyHunters reads in part:

"Instructure has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some 'security patches.' If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement. You have till the end of the day by 12 May 2026 before everything is leaked."

The defaced login pages and the direct message to TechCrunch signal that ShinyHunters is deliberately escalating pressure on Instructure and the thousands of schools that depend on their platform.

ShinyHunters is no stranger to high-profile attacks. The Verge notes the group has previously claimed responsibility for breaches at Ticketmaster, AT&T, Rockstar Games, ADT, and Vercel — following the same financially motivated playbook every time: hack, publicize, and extort.

Is Your School on the List?

With nearly 9,000 institutions reportedly affected, the reach of this breach is extraordinary. Malwarebytes advises parents to start with the notification from their school or district and Instructure's own updates to understand exactly what data about their child was involved.

Before acting on any notification, verify it's legitimate. If a message looks suspicious — unusual links, pressure to act immediately, or requests for additional personal data — go directly to your school district's or Instructure's official website rather than clicking anything in the message.

What Parents and Students Should Do Right Now

Whether or not you've received an official notice from your school, these steps are worth taking immediately if your family uses Canvas.

1. Change Canvas Passwords Now

If your child logs into Canvas with a username and password (rather than single sign-on through the school), change that password immediately. Malwarebytes also recommends checking for password reuse — if your child uses the same password for Canvas as they do for email, gaming accounts, or social media, change those too. Every account should have its own unique, strong password. A family password manager can make this far more manageable, especially for households juggling multiple kids and accounts.

2. Enable Multi-Factor Authentication (MFA)

Where your school's platform allows it, turn on multi-factor authentication. Malwarebytes recommends having MFA codes go to a device or app you control — and reminding kids that security codes are like short-term passwords and should never be shared with anyone, including someone claiming to be "IT support."

3. Consider Extra Identity Protection for Minors

If the breach included sensitive identifiers, ask your school and Instructure what protections are being offered. Malwarebytes points out that in some regions you can place a credit freeze on a minor's file to prevent new accounts being opened in their name — even if your child is too young for a credit file today, it's worth noting this incident for future reference.

4. Watch Out for Follow-On Scams

This is where things can get worse for families caught in a breach. Attackers frequently reuse data stolen from education platforms to craft convincing phishing messages — referencing real school names, teacher names, and course titles to appear legitimate. Be highly skeptical of any email or text asking you to "confirm" login details, open unexpected attachments described as "new assignments," or pay fees through unusual methods.

As Malwarebytes advises: **