ShinyHunters Breaches Instructure: 275 Million Students' Canvas Data Stolen, 3.65TB at Risk

ShinyHunters has hit Instructure, the company behind Canvas LMS, and confirmed it. The claim: 3.65 terabytes of stolen data covering 275 million students at more than 8,800 institutions. The deadline: contact by May 6, 2026, or the data goes public. Instructure has confirmed the breach. The stolen data includes not just standard personally identifiable information but private Canvas inbox messages and student discussion posts — the internal communications of an educational system that most of its users had every reason to believe was protected.

This is the largest breach of educational data in history by raw scope. It is also the second major ShinyHunters breach confirmed in a single week: the group listed Medtronic in late April with a claim of 9 million stolen medical records, later confirmed via SEC 8-K filing. The pace is deliberate.

What Instructure Is, and What Canvas Holds

Instructure is a Utah-based ed-tech company founded in 2008. Canvas is its flagship product — a Learning Management System that functions as the academic infrastructure for the majority of US higher education institutions and a substantial share of K-12 districts. At last count, Canvas is used by more than half of all US universities and by tens of millions of K-12 students. Internationally, it operates in over 70 countries.

A Canvas deployment is not a peripheral system. It is the platform where students submit assignments, receive grades, communicate with professors and classmates, participate in discussion forums, access course materials, and — critically — exchange private messages via the Canvas inbox system. For many students, Canvas inbox is a primary channel for communicating sensitive academic matters: requests for extensions, disclosures of personal circumstances affecting coursework, accommodations for disabilities, grade disputes.

The data Instructure holds as a result is correspondingly sensitive:

• Names and institutional email addresses for every enrolled student on the platform
• Student ID numbers — which function as identifiers across university systems, often tied to financial aid, housing, health records, and campus access
• Canvas inbox messages — private, one-to-one communications between students and instructors
• Discussion post content — which can include personal disclosures, academic struggles, and opinions shared within an ostensibly private educational context

The 3.65TB claimed by ShinyHunters is consistent with the volume one would expect from a full export of a platform of this scale. At 275 million records across 8,800 institutions, that averages to roughly 31,000 students per institution — plausible for a dataset that includes large state university systems alongside smaller colleges.

ShinyHunters’ Pattern: Medical Records This Week, Student Records Next

The timing is not coincidental. ShinyHunters listed Medtronic on April 17–18, 2026, claiming more than 9 million medical records — names, Social Security numbers, dates of birth, government IDs, and medical information. Medtronic confirmed the incident via SEC Form 8-K on April 24. The Medtronic listing subsequently disappeared from ShinyHunters’ leak site, which threat intelligence analysts read as a likely quiet settlement — a payment made to suppress publication.

The Instructure listing follows the same operational pattern: a high-profile target, a specific data volume claim, a short-fuse deadline designed to force a decision before legal and forensic processes can catch up. ShinyHunters has used this model consistently since resurfacing in 2023 after the arrest of several members: claim, confirm, deadline, settle or publish.

The group’s record on follow-through is mixed but real. Their 2020 breach of Wattpad (270 million users), the 2024 Ticketmaster breach (560 million records), and subsequent breaches of Santander Bank and AT&T established that when they claim a breach of this scale, there is typically real data behind it. The question in contested cases is always scope — whether the data volume and content match the claim — rather than whether any breach occurred.

Instructure’s public confirmation removes that ambiguity for this case. Something happened. The remaining question is whether the 3.65TB and 275 million figure is accurate or inflated.

The May 6 Deadline and What Happens Next

ShinyHunters set a contact deadline of May 6, 2026. The deadline functions as a negotiating clock, not an automatic publication trigger — the group will contact Instructure or institutional representatives, discuss terms, and either reach an agreement or proceed to data publication or sale on a criminal marketplace.

For Instructure, the calculus is complicated by scale. Unlike a corporate breach where a ransom paid suppresses data affecting a defined customer set, the Instructure breach allegedly spans 8,800 independent institutions, each of which has its own obligations to affected students under FERPA (the Family Educational Rights and Privacy Act), state privacy laws, and — for international students — GDPR and equivalent frameworks. Paying a ransom does not extinguish those notification obligations if the breach is already confirmed.

FERPA requires educational institutions to notify students when their education records have been improperly disclosed. The triggering event is the disclosure, not the public confirmation of the breach. ComplianceHub.Wiki’s state notification guide covers the full patchwork of state deadlines that layer on top of the federal floor. Instructure’s public confirmation means the clock is already running for every institution using Canvas.

The Student Data Risk Profile

The risk from this breach is not uniform. It varies by the nature of the data exposed and by the population affected.

Higher education students face the standard risks from PII exposure — phishing, credential stuffing on other platforms, account takeover, identity fraud — plus institution-specific risks: fraudulent financial aid applications using stolen student IDs, targeted phishing that references specific course enrollments or instructors (data accessible via Canvas discussion post content), and impersonation of professors to students whose contact details are now known.

K-12 students represent a categorically different risk tier. Many are minors. Their Canvas data — including any inbox messages disclosing family circumstances, learning disabilities, or behavioral issues — carries far higher legal and ethical sensitivity. The Children’s Online Privacy Protection Act (COPPA) and various state equivalents impose additional obligations on institutions holding data on under-13 students. A dataset including minor student communications has significant value on criminal markets for a variety of deeply objectionable purposes.

Canvas inbox messages are the most sensitive category. Students routinely disclose medical conditions, mental health struggles, financial hardship, family crises, and academic misconduct concerns via Canvas inbox. This is private correspondence shared with a trusted academic institution, not public social media content. The exposure of that content to criminal actors is a harm that goes beyond the quantifiable — it is a breach of confidence that many affected students will not learn about immediately and cannot remediate.

FERPA Obligations and the Institutional Response Required

Every institution using Canvas should be treating this as a confirmed breach as of Instructure’s public acknowledgment. Institutions that haven’t recently evaluated their security posture across vendor management, data governance, and incident response can run a free assessment at school.secureiot.house — it covers all nine domains including third-party vendor security and FERPA/COPPA compliance in under 10 minutes. The institutional response checklist under FERPA and applicable state privacy law includes:

Immediate: Confirm with Instructure the scope of your institution’s data in the breach. What records were included — names only, or inbox content and discussion posts? What date range? Which student cohorts?

Short-term: Prepare breach notification for affected students. FERPA does not specify a notification timeline (unlike HIPAA’s 60-day window or GDPR’s 72-hour supervisory authority notification requirement), but unreasonable delay creates liability exposure. State laws in California, New York, Texas, and others impose specific timelines.

Operational: Rotate Canvas credentials institutionally. Force password resets for all student and faculty accounts. Review third-party integrations that use Canvas SSO or OAuth tokens — those sessions may have been in scope.

Legal: Assess whether the breach triggers any regulatory reporting obligations in your jurisdiction. European institutions or those with significant international student populations will face GDPR supervisor authority notification requirements.

What Students Should Do

You cannot undo a breach that has already occurred. You can limit the downstream damage.

Assume your Canvas email address is now on criminal lists. Treat any email to that address referencing your institution, your courses, your grades, or your financial aid as potentially a targeted phishing attempt. Verify sender identities through official institutional channels before clicking anything or providing information.

Check your student portal for unauthorized changes. Financial aid disbursement details, enrollment status, address changes. Student ID numbers combined with institutional email access are sufficient to request fraudulent administrative changes at some universities.

Enable two-factor authentication on every account that uses your student email as a login or recovery address. Your Canvas inbox address is now publicly associated with your identity and institution.

If you disclosed sensitive personal information via Canvas inbox — medical conditions, family circumstances, mental health issues — be aware that this content may be included in the stolen dataset. There is no remediation for content already disclosed; the appropriate posture is heightened awareness of any contact that references or seems aware of that information.

Listen: The EdTech Supply Chain Collapse

Sources

• TechCrunch: Hackers steal students’ data during breach at education tech giant Instructure (May 5, 2026)
• Malwarebytes: Millions of students’ personal data stolen in major education cyberattack (May 2026)
• SC Media: Instructure confirms data breach, ShinyHunters claims responsibility (May 2026)

Breached.Company covers state-sponsored cyber and hybrid threats, breach disclosures, and signals intelligence for the security community. For threat intelligence retainers and vCISO consulting, CISO Marketplace connects you with vetted advisors.