In one of the largest data breaches targeting the education sector, Canvas — the learning platform operated by Utah-based Instructure — went offline on 8 May 2026 after the hacking group ShinyHunters gained unauthorised access to its systems between 25 April and 8 May.
The breach compromised student names, email addresses, institutional ID numbers, course data, assignment submissions, and private messages from over 9,000 educational institutions across the United States, United Kingdom, Canada, and Australia.
What Was Exposed
According to Instructure's incident report, the data exposed includes personally identifiable information of students and staff across all affected institutions. Security researchers confirmed it contained sensitive academic records dating back several years.
The Deal With the Hackers
On 13 May 2026, Instructure confirmed it reached an agreement with ShinyHunters to delete the stolen data. The company has not disclosed whether a ransom was paid. Cybersecurity experts have widely criticised this approach, noting there is no way to verify whether stolen data has actually been deleted.
What Students Should Do
Students at affected institutions should monitor their email accounts for phishing attempts, change passwords on any services where they used the same credentials as Canvas, and enable two-factor authentication on their primary email accounts.