Deutsch
English
Español
Français
Nederlands
Português
Massive Canvas Data Breach Confirmed: ShinyHunters Targets Education Sector
A massive data breach at Instructure, the parent company of the widely-used Canvas learning management system (LMS), has exposed the personal information of up to 275 million students, teachers, and staff worldwide. The hacking group ShinyHunters claimed responsibility for the attack, which targeted roughly 9,000 educational institutions globally, including several major universities in the Netherlands. The breach was detected on April 30, 2026, and confirmed by Instructure on May 1, 2026.
What Data Was Stolen in the Canvas Breach?
According to Instructure's official confirmation, the exposed data includes names, email addresses, student ID numbers, and private messages exchanged between Canvas users. The company has stated there is no evidence that passwords, dates of birth, government identifiers, or financial information were compromised. However, ShinyHunters claims to have stolen 3.65 terabytes of data, including "several billions of private messages" and personally identifiable information (PII). The hackers also allege they breached Instructure's Salesforce instance through a misconfiguration.
Instructure's CISO Steve Proud confirmed the incident is contained and stated that impacted institutions will be notified if additional sensitive data is found to be exposed. The company has deployed patches, rotated application keys, and increased monitoring in response.
ShinyHunters' Ultimatum: Pay or Leak
ShinyHunters posted a threat on the dark web addressed to Instructure Holdings, writing: 'This is a final warning. Contact us before May 6, 2026, or we will leak the data and other unpleasant digital problems will come your way. Make the right choice, don't be the next headline.' The group is known for its "pay or leak" extortion strategy, having previously targeted major companies including Odido, Ticketmaster, AT&T, Santander, and Wattpad.
This is not the first time ShinyHunters has targeted Instructure. The same group exploited a social engineering attack against Instructure's Salesforce environment in September 2025, making this the second major edtech data breach in less than a year for the company.
Dutch Universities Among Those Affected
Several prominent Dutch educational institutions that use Canvas are potentially impacted, including Fontys Hogescholen, Maastricht University, Hogeschool Utrecht, the University of Amsterdam, VU Amsterdam, Erasmus University Rotterdam, and Tilburg University. Maastricht University has already informed students and staff via email, noting that Canvas remains safe to use while investigations continue. The University of Twente has also issued a statement monitoring the situation.
The growing threat of cyberattacks on education highlights the vulnerability of centralized learning platforms that hold vast amounts of personal data on minors and adults alike.
Why This Breach Matters for Education
Canvas is one of the world's most popular learning management systems, used by over 8,000 institutions across North America, Europe, and Asia-Pacific. The platform sits at the center of daily educational operations, handling grades, assignments, communications, and administrative workflows. A breach of this scale raises serious concerns about student privacy, identity theft, and targeted phishing attacks. Cybersecurity experts warn that exposed school email addresses and student IDs make students and teachers prime targets for social engineering campaigns.
The education sector has become a high-value target for cybercriminals. According to industry reports, K-12 school districts average five cyber incidents per week, and 98% of higher education institutions report having experienced at least one cyberattack. The Canvas breach is among the largest ever to hit the edtech industry, rivaling the 2020 Blackboard breach and the 2024 PowerSchool incident.
What Students and Teachers Should Do Now
Cybersecurity experts recommend that all Canvas users take the following precautions:
- Change Canvas passwords immediately and enable multi-factor authentication (MFA) if available.
- Be vigilant against phishing emails that appear to come from Instructure or your educational institution.
- Monitor accounts for suspicious activity, including unauthorized login attempts.
- Do not click on links or download attachments from unsolicited messages claiming to be about the breach.
Instructure has stated that it will notify affected institutions directly if further data exposure is discovered. The company has also set up a dedicated page for breach updates.
Regulatory and Legal Implications
The breach may trigger regulatory scrutiny under the Family Educational Rights and Privacy Act (FERPA) in the United States, the General Data Protection Regulation (GDPR) in Europe, and other privacy laws. Dutch universities, in particular, may face obligations to report the incident to the Autoriteit Persoonsgegevens (Dutch Data Protection Authority). Mass claims similar to the one filed against Odido in the Netherlands could also emerge if affected users seek compensation.
FAQ: Canvas Data Breach
What is the Canvas data breach?
The Canvas data breach is a cybersecurity incident confirmed by Instructure on May 1, 2026, in which the hacking group ShinyHunters stole personal data of up to 275 million Canvas users worldwide.
What data was stolen in the Canvas breach?
Exposed data includes names, email addresses, student ID numbers, and private messages. Passwords, birth dates, government IDs, and financial data were not compromised according to Instructure.
Which schools are affected by the Canvas hack?
Roughly 9,000 educational institutions globally are potentially affected, including major Dutch universities such as the University of Amsterdam, Maastricht University, and Erasmus University Rotterdam.
Who is ShinyHunters?
ShinyHunters is a black-hat hacker and extortion group formed around 2019, known for large-scale data breaches and "pay or leak" tactics. They have previously targeted companies like Odido, Ticketmaster, AT&T, and Microsoft.
Is Canvas safe to use after the breach?
Instructure has stated that Canvas remains safe to use. The company has patched the vulnerability, rotated API keys, and increased monitoring. However, users should change passwords and enable MFA as a precaution.
Follow Discussion