Canvas/Instructure Holdings

Between May 1-7, 2026, ShinyHunters breached Canvas—the learning management system used by 8,809 universities globally and 41% of all US higher education institutions. The attackers extracted 3.65 terabytes of data covering 275 million users. Instructure disclosed the breach on May 5 and reportedly paid a $10 million ransom, making this one of the largest education technology breaches in history.

Canvas isn't just course content. It's the complete digital record of higher education interactions—student submissions, grades, private messages between students and instructors, discussion forums, quiz attempts, assignment feedback, attendance records, course analytics. Every interaction in digital learning flows through the LMS.

The exposed data includes years of academic records. Student messages to professors about mental health struggles, accommodations for disabilities, grade disputes, academic integrity investigations. Faculty communications about student performance, disciplinary matters, research collaborations. Institutional data revealing enrollment patterns, course offerings, academic policies. All of it—275 million users worth—now in attacker hands.

Students wrote messages they believed were private. They disclosed medical conditions to request deadline extensions. They discussed family emergencies. They submitted work revealing their writing voice, research interests, and intellectual development across semesters. Faculty provided candid feedback, discussed student struggles with colleagues, documented academic integrity concerns.

This isn't like a breach of business email or customer databases. Educational records carry FERPA protections precisely because they document formative years, academic struggles, disciplinary matters, and personal development. The exposure affects current students, recent graduates, and anyone who used Canvas at any participating institution. For international students, researchers working on sensitive projects, or students who later entered high-profile careers, the leaked communications could resurface indefinitely.

Instructure operates Canvas as a cloud-hosted SaaS platform. Universities trusted that a company serving 41% of US higher education had enterprise-grade security—penetration testing, security audits, compliance certifications, dedicated security teams. Canvas had become critical infrastructure for higher education, especially after COVID-19 forced digital learning adoption.

The platform handled billions of educational interactions. Instructure built systems for scale, reliability, and feature development. They believed their security posture matched the sensitivity of the data they hosted. ShinyHunters proved otherwise, extracting 3.65 TB of educational records despite those protections.

Learning management systems accumulate data indefinitely. Courses from 2010 sit alongside current semester data. Deleted messages often aren't actually deleted—they're flagged but retained in databases. Student communications, assignment submissions, forum posts, quiz attempts, and grade histories pile up across academic years.

Did Instructure know exactly how many years of student messages were stored in production systems? Which personally identifiable information students had submitted through assignment uploads or course materials? What sensitive communications existed in instructor-student message threads? The 3.65 TB haul suggests the platform contained far more historical data than anyone had inventoried. When you're managing 275 million user accounts across 8,809 institutions, the data accumulation becomes unknowable without systematic discovery.

Instructure faces FERPA notification requirements for every affected institution. Universities must notify students and faculty that their educational records were compromised. Each institution operates under state breach notification laws. International universities navigate their own data protection regimes—GDPR in Europe, PIPEDA in Canada, various privacy laws across Asia and Latin America.

The $10 million ransom payment—if confirmed—raises questions about data recovery versus deletion. Did paying guarantee that attackers deleted the data? Can anyone verify that? For students and faculty, their messages and academic records are already gone. Whether attackers keep copies, sell them, or delete them is beyond anyone's control once the exfiltration is complete.