Canvas Data Breach 2026: What Students and Parents Need to Know

If your school uses Canvas, your personal information may have been exposed.

On May 7, 2026, a criminal hacking group broke into Canvas, a learning platform used by millions of students and teachers across the country.  

Personal information for students, teachers, and staff at thousands of schools may have been exposed.

When personal information is stolen, it can be used in scams, phishing attacks, and identity theft. Taking action early can help lower your risk.

If your information was exposed, tools like identity monitoring and dark web alerts can help you spot suspicious activity faster and respond before it becomes a bigger problem.

What Happened in the Canvas Data Breach

Canvas is a learning platform run by a company called Instructure. It is used to manage assignments, grades, messages, and coursework. It is used by thousands of K through 12 schools and colleges across the country.

Instructure first detected unusual activity on April 29, 2026. The company said it took steps to secure the platform. But the attack was not over.

On May 7, 2026, students logging into Canvas were met with a threatening message from a criminal group called ShinyHunters.

‍The group claimed it had stolen data from Canvas and would release it unless it was paid.

According to CNN, universities including Columbia, Rutgers, Princeton, Kent State, Harvard, and Georgetown all sent alerts to students.  

The breach hit during final exam week at many schools, forcing professors to scramble and students to lose access to their coursework.

Instructure took Canvas offline on May 7 to investigate. By late that night, the platform was back online for most users, according to CNN.

The breach affected institutions in the United States, United Kingdom, Australia, New Zealand, Sweden, and the Netherlands.

Who Is ShinyHunters?

ShinyHunters is a criminal extortion group. They steal data from companies, then threaten to release it unless they are paid.  

CNN reports this is the second school data breach the group claimed in May 2026 alone.

Where Did the Breach Happen?

ShinyHunters accessed Instructure's cloud systems. Once inside, the group was able to view and copy user data stored on the platform.

The group left a message on Canvas login pages demanding payment and giving a deadline of May 12, 2026. Schools that did not pay were threatened with having their data released publicly.

Why This Type of Attack Is a Growing Problem

This was not just a technical hack. The ShinyHunters group is known for combining data theft with pressure campaigns to force payment.

Modern attacks like this one often:

1. Target large platforms where many organizations store data
2. Use stolen data as leverage to demand payment
3. Publish data publicly when demands are not met

Once data is released online, it spreads quickly and is very hard to remove. This is why acting fast after a breach matters.

What Information Was Exposed in the Canvas Data Breach

Instructure confirmed that user data was exposed. According to CNN's reporting on Instructure's official statement, the exposed information includes:

1. Names
2. Email addresses
3. Student ID numbers
4. Messages between users

Instructure stated it found no evidence that passwords, dates of birth, government ID numbers, or financial information were part of the breach.

ShinyHunters claimed it stole data from 275 million users at nearly 9,000 schools. Instructure has not confirmed those numbers.  

The investigation is still ongoing. Those figures should be treated as unverified until the company confirms them.

Why Even Basic Information Is Dangerous

Even without passwords or financial data, the information exposed in this breach can cause real harm.

The Federal Trade Commission (FTC) warns that even basic personal details like your name and email address can be used to craft convincing scam messages.  

Criminals use real details to make their messages look like they are coming from a trusted source, like your school or a teacher.

The New Jersey Cybersecurity and Communications Integration Cell warns that stolen personal data is often sold on the dark web, where it can be used to launch phishing emails, text scams, and fake phone calls long after the original breach.

Who Was Affected by the Canvas Data Breach

The breach affected institutions across the country and around the world. Confirmed affected regions include the United States, United Kingdom, Australia, New Zealand, Sweden, and the Netherlands.

In the United States, institutions that issued alerts to students include:

1. Columbia University
2. Harvard University
3. Princeton University
4. Rutgers University
5. Georgetown University
6. Kent State University
7. University of Pennsylvania
8. Duke University
9. Wake County Public Schools (K through 12)

The breach is not limited to colleges. Many K through 12 school districts also use Canvas, which means younger students may be affected too.  

If your child's school uses Canvas, assume their information may have been exposed and take action.

Worried Your Information Was Exposed? Here Is What You Can Do

Here are steps you can take to help you stay protected:

Watch for Suspicious Messages

After a data breach, scam messages often follow. Be careful with:

1. Emails you were not expecting
2. Texts asking you to click a link or confirm information
3. Messages that feel urgent or threatening
4. Anything claiming to be from Canvas, Instructure, or your school

If something feels off, do not click. Go directly to your school's website or Instructure's status page instead.

Change Your Canvas Password

Even though passwords were not confirmed as part of the breach, changing yours is a smart step.

1. Use a strong password
2. Do not reuse passwords across accounts
3. Consider using a password manager to keep track

Turn On Two Factor Authentication

Two factor authentication adds a second step when you log in. It helps protect your account even if someone gets your password.

1. Turn it on for your school email
2. Turn it on for any account linked to your school

Monitor Your Accounts

Check your accounts regularly for anything unusual. Look for:

1. Login attempts you did not make
2. Emails or messages you did not send
3. Account changes you did not request

Check for Dark Web Exposure

Stolen data is often sold or posted on the dark web. It is worth checking whether your personal information has shown up somewhere it should not be.

IdentityIQ identity theft protection and dark web monitoring sends an alert when possible suspicious activity is detected on the dark web.

Report Identity Theft to the FTC

If you believe someone has already used your information, report it at IdentityTheft.gov.

The FTC will walk you through a free, step by step recovery plan.

A Note for Parents of K Through 12 Students

Younger students are at risk too. Many K through 12 schools across the country use Canvas.

Children are often targeted for identity theft because they typically do not have credit reports.

That means fraud can go undetected for years, sometimes until a child tries to open their first bank account or apply for a loan.

The FTC recommends checking with each of the three major credit bureaus to see if your child has a credit report on file.  

If one exists that should not, you can place a credit freeze to stop anyone from opening new accounts in your child's name.

If you think your child was affected:

1. Contact each of the three major credit bureaus to check if your child has a credit report
2. Place a credit freeze if one exists that should not
3. Watch for any unusual mail or messages addressed to your child
4. Follow the steps above on your child's behalf

How to Spot a Phishing Scam After a Data Breach

When personal data is stolen, phishing scams usually follow. Here is what to watch for.

Urgent Requests

Scammers create panic to get you to act fast. Watch for messages that say:

1. Act now
2. Your account is at risk
3. Immediate action required

Requests for Personal Information

A real school or company will never ask for this by email or text:

1. Passwords
2. Security codes
3. Social Security numbers
4. Financial details

The FTC advises that if you get a message from an organization you work with, go to their official website directly instead of clicking any link in the message.

Messages That Feel Off

Pay attention to:

1. Spelling errors or strange wording
2. Email addresses that look almost right but not quite
3. Links that go to unfamiliar websites

Pressure to Stay on the Phone

If someone calls claiming to be from your school or Canvas and pressures you to stay on the line, that is a red flag.

1. Hang up if you feel pressured
2. Call the organization back using a number from their official website
3. A real company will let you verify before taking action

Help Protect Your Identity After the Canvas Breach

A breach like this is a reminder that personal information is always at risk, especially on platforms we rely on every day.

What matters now is choosing protection you can trust.

The right service should not only watch your information but also help you act quickly if something goes wrong. Look for:

1. Real time credit monitoring across all three major credit bureaus
2. Active monitoring for your personal information on the dark web
3. Fast alerts when we detect possible suspicious activity
4. Expert restoration support if your identity is stolen

IdentityIQ offers identity theft protection built around all of these features. Click here to get protected now.

Frequently Asked Questions About the Canvas Data Breach 2026

Below you can find frequently asked questions on the Canvas Data Breach:

What happened in the Canvas data breach?

A criminal group called ShinyHunters broke into systems run by Instructure, the company behind Canvas.  

They accessed user data and demanded payment to keep it private. The breach was confirmed by Instructure and affected thousands of schools across the country and around the world.

What information was exposed in the Canvas breach?

According to Instructure, the confirmed exposed data includes names, email addresses, student ID numbers, and messages between users.  

Passwords, dates of birth, government IDs, and financial information were not confirmed as part of the breach.

Was financial information stolen in the Canvas data breach?

No. Instructure has stated there is no evidence that financial information was part of the breach. However, even basic personal information can still be used in scams and phishing attacks.

Should I be worried about identity theft?

The exposed data is enough for criminals to send targeted scam messages.  

While the risk of full identity theft is lower without a Social Security number or financial data, you should still monitor your accounts and watch for suspicious emails, texts, or calls.

How do I know if my school was affected?

Check your school's official website and Instructure's status page at status.instructure.com for updates specific to your institution.  

You may also receive a notification from your school directly.

How long does the risk last after a data breach?

The risk can last for months or even years. Stolen data is often shared or sold online, which means it can be used long after the original breach.  

Ongoing monitoring is the best way to stay protected.

Final Thoughts

The Canvas data breach is still developing. Instructure's investigation is ongoing, and the full scope of the incident has not yet been confirmed.

What is confirmed: students, teachers, and staff at thousands of schools had their personal information accessed by a criminal group.

The best thing you can do right now is stay alert, be skeptical of unexpected messages, and take steps to help protect your personal information

If you have questions about protecting yourself after the Canvas breach, contact IdentityIQ today.