On May 7, 2026, millions of students opened Canvas to study for finals. Instead of their courses, they saw a ransom note. however, the Canvas data breach 2026 exposed 3.65 terabytes of records from roughly 275 million users across 8,809 schools. The largest school-sector breach ever recorded. ShinyHunters, the same group behind the Cushman & Wakefield Salesforce theft. Walked away with usernames, emails, course names, and private student-teacher messages.
So, you might be wondering whether your login is one of the 275 million. For example, for example, this guide explains exactly what happened, what data was taken, what wasn't. The four steps you should take today to lock down your login.
Key Takeaways
- 3.65TB stolen from 275 million users. The largest school breach on record.
- ShinyHunters used a Free-For-Teacher login flaw to access Canvas LMS production data.
- Passwords, dates of birth, and financial data were NOT exposed. But emails, course names, and private messages were.
- Instructure reportedly paid the ransom on May 11, and ShinyHunters claims the stolen data was wiped.
- Universities in the US, Canada, and Australia lost exam access during finals week.
Table of Contents
- What Happened in the Canvas Data breach 2026.
- What Data leaked. And What Was Safe.
- Why the Canvas Data breach 2026 Matters.
- How to Protect Your Canvas login.
- What the Canvas Data breach 2026 Teaches Schools.
- Summary.
- often Asked Questions.
What Happened in the Canvas Data breach 2026
In contrast, the Canvas data breach 2026 unfolded across roughly twelve days in early May. instructure, the firm behind Canvas LMS. First told a security incident on May 1 and May 2. The breach involved wrong access to user records held for ransom by the threat group ShinyHunters.
Still, the picture got worse on May 7. Still, as a result, according to BleepingComputer, attackers defaced the Canvas login portal. Replacing the standard sign-in page with a ransom message visible to a user trying to access their courses. The defacement turned a quiet data theft into a public crisis. It hit right in the middle of exam season.
breach Timeline from May 1 to May 12
Here is the day-by-day timeline:
- On May 1-2, Instructure told an first cybersecurity incident. User records held for ransom.
- By May 7, Canvas login pages globally fell to with a ShinyHunters ransom note.
- Between May 7 and May 10, universities in the US, Canada, and Australia cancelled or delayed final exams.
- Then on May 11, Instructure announced an agreement with ShinyHunters. Ransom reportedly paid.
- Finally, on May 12, the first ransom deadline arrived; ShinyHunters claims the stolen data has been wiped.
How ShinyHunters Got Inside Canvas LMS
However, yet, the entry point was Canvas's "Free-For-Teacher" login program. A free tier that lets any instructor sign up without going through an school. So, still, attackers used these unprivileged teacher logins to reach production data they should never have touched. A free signup form became the door to 275 million user records.
This pattern repeats across recent supply-chain attacks. the Vercel data breach earlier this year followed the same script: an indirect, low-privilege entry point cracked open production. The same threat group, ShinyHunters, has been linked to multiple Salesforce-stack breaches in 2026.
What Data leaked. And What Was Safe
Yet, instructure's official statement is set about what the attackers took and what they did not. Meanwhile, so, knowing the difference matters for your response plan.
The breach exposed:
- Usernames.
- Email addresses.
- Student ID numbers (where used as IDs in Canvas).
- Course names and sign-up info.
- Private messages exchanged between students and teachers.
But, the breach did NOT expose, per Instructure's own confirmation:
- Passwords (even in hashed form).
- Dates of birth.
- gov-issued IDs.
- Financial or payment info.
- Course content, submissions, or grades.
In short, the good news is core learning data. Your essays, your quiz answers, your transcripts. Stayed safe. But the bad news is real. The leaked metadata is enough to power targeted phishing. An attacker who knows your name, your school, your course code. And what you privately messaged your professor can craft a believable scam email.
Why the Canvas Data breach 2026 Matters
For instance, the Canvas data breach 2026 is the largest school-sector cyberattack ever recorded. But, meanwhile, according to Wikipedia's incident page. It hit 8,809 universities, ministries of school, and other schools worldwide.
For comparison:
- The 2019 Capital One breach affected 106 million people. About 39% of Canvas's victim count.
- The 2017 Equifax breach hit 147 million. Roughly 54% of the Canvas total.
- Major supply-chain breaches in 2025 typically averaged 10-20 million records each.
For example, canvas is bigger than most consumer breaches because schools rarely roll out the basics consumer apps require. Many K-12 districts and smaller colleges still allow legacy username-and-password logins. They have no multi-factor sign-in. Many students reuse their school password on own logins.
For example, although, the exam disruption is the second-order damage. Because, in short, cNN reported that students at universities across three continents lost access during finals week. Some schools moved tests to paper, some delayed grading by weeks. And at least one Australian university cancelled the spring check period outright.
How to Protect Your Canvas login
In contrast, if you have a Canvas or related school login, take these four steps in order. Even so, next, each one closes a different attacker path.
Change Your Canvas Password After the 2026 breach
Sign in and rotate your Canvas password even though Instructure says passwords were not stolen. By contrast, for instance, the reason: if you reuse the same password elsewhere. Email, banking, gaming. An attacker now knows your username and email from the leak. They can use these as a strong password to try on other sites. Use a long passphrase (16 characters or more) that is unique to Canvas.
Turn On Multi-Factor sign-in Today
In extra, multi-factor sign-in (MFA) blocks an attacker even if they get your password. After that, but, if your school or district allows it on student or parent logins, switch it on today. Prefer authenticator apps like Google Authenticator, Microsoft Authenticator, or Authy over SMS codes . SMS is vulnerable to SIM-swap attacks. In other words, although, hardware keys (YubiKey, Titan) offer the strongest safety.
Watch for Targeted Phishing Emails Now
Expect a wave of fake "Canvas password reset" and "Your exam has been rescheduled" emails over the next four to six weeks. In particular, because, attackers will use the real metadata they stole. Your name, school, course code. To make these look authentic. Never click password reset links inside emails. Open canvas.instructure.com or your school's portal directly in your browser instead.
Use a Password Manager and Audit Other logins
So, a password manager (Bitwarden, 1Password, KeePass) lets you set a unique password on every login without trying to memorize them. Despite this, even so, if you reused your Canvas password on any other service, change those passwords too. The malicious Chrome extension campaign that stole data from 900.000 users earlier this year shows how fast credential reuse turns one breach into ten.
What the Canvas Data breach 2026 Teaches Schools
In contrast, on top of that, school schools sit on a peculiar mix of high-value data and low-budget security. At the same time, despite this, the Canvas case is a wake-up call for IT leaders in three areas.
Still, supply-chain vendor risk reviews are no longer optional. When you sign with an LMS or HRIS vendor, you inherit every weakness in their stack. by contrast, the Vercel data breach and now the Canvas incident both started inside the vendor. Not at the school.
Mandatory MFA needs to apply to students and parents, not just staff. most school districts still treat MFA as an admin-only control. A breach this big shows why the policy needs to extend to every active login.
In contrast, schools also need an incident-response playbook tailored to exam disruption. As a result, for example, decide now: if your LMS goes dark for 72 hours, what happens to scheduled exams? Who has group to switch to paper or postpone? Still, in contrast, these calls are easier to make before the crisis.
For IT teams looking to build broader cyber capability, our cloud security career path roadmap and the Security Plus SY0-701 study guide are solid starting points. Yet, as a result, pair these with regular updates. Including timely patching on the dates highlighted in our Patch Tuesday April 2026 coverage. And you remove the attacker's easiest paths.
Summary
Yet, the Canvas data breach 2026 hit 275 million users across 8.809 schools in early May, exposing emails, course names, and private student-teacher messages. But not passwords, IDs, or financial data. So, still, instructure paid an undisclosed ransom on May 11, and ShinyHunters claims the data is wiped. Change your Canvas password, turn on MFA, watch for targeted phishing. And audit any other logins where you reused the same password.
often Asked Questions
Is my Canvas login affected by the Canvas data breach 2026?
As a result, on the other hand, if your school uses Canvas LMS and your login was active in early May 2026, assume your basic profile data leaked. Meanwhile, yet, change your password today and turn on MFA. Schools will send a formal notification if set student records were leaked. But the safest move is to act first and verify later.
Did the Canvas data breach 2026 leak my password or financial info?
But, no, according to Instructure's official confirmation. In short, so, passwords, dates of birth, gov IDs, financial info, course content, and submitted work were not exposed. The leak was limited to IDs and metadata. For example, usernames, emails, course names, and private messages.
Why Did ShinyHunters Target the Canvas Data breach 2026?
ShinyHunters is a financially motivated extortion group active since 2020. they specialize in Salesforce-stack breaches and have hit dozens of companies in 2026 alone. This includes Cushman & Wakefield. They targeted Canvas for the resale value of the data and the firm's ability to pay a ransom.
Is the Canvas Data breach 2026 Data Really wiped?
For instance, treat the wipe claim as best-effort, not certainty. But, meanwhile, even if ShinyHunters honored the agreement, copies may have been shared with partners or leaked to other criminals. Assume the data is in circulation and act as such. Change passwords, enable MFA, and stay alert to phishing.
How Schools Stop the Next Canvas Data breach 2026?
Vendor security reviews, mandatory MFA for all active logins, and an exam-disruption playbook are the three controls schools most often miss. Although, in short, pair these with timely flaw patching and you remove the attacker's easiest paths.
About the Author
For example, bhanu Prakash is a cybersecurity and cloud computing professional with hands-on experience in incident response, identity management, and security awareness training. Because, next, he shares practical guides and career advice at ElevateWithB.
What to Read Next: If breach response is on your roadmap, check out our walkthrough of the Vercel data breach and how supply-chain hacks are reshaping vendor reviews in 2026.
