ARTICLE
8 May 2026

Deconstructing The Canvas (Instructure) Data Breach: What Happened And What Should Your Institution Do Next?

BS
Bond, Schoeneck & King PLLC

Contributor

Bond, Schoeneck & King PLLC logo

Bond is a full-service law firm counseling individuals, companies, not-for-profits and public sector entities in a wide spectrum of practice areas.

With over 300 lawyers, we represent clients in agribusiness and natural resources; commercial lending and transactions; real estate development and construction; defense and high-tech; energy and chemicals; health care and long-term care; manufacturing and electronics; hospitality, sports, entertainment and tourism; municipalities and school districts; higher education; and other exempt and nonprofit organizations. We maintain ten offices in New York State as well as locations in Florida, Kansas, Massachusetts and New Jersey.

Explore Firm Details
A criminal hacking group known as ShinyHunters executed a major cyberattack on Canvas, the widely-used education platform, compromising data from 275 million individuals across nearly 9,000 schools.
United States Technology
Amber Lawyer,Jessica Copeland,Courtney Ryan
+1 Authors
Bond, Schoeneck & King PLLC are most popular:
  • within Litigation, Mediation & Arbitration, Tax and Consumer Protection topic(s)
  • in United States
  • with readers working within the Aerospace & Defence industries

On May 7, 2026, Canvas, a popular cloud-based education platform used by over 8,000 K-12 schools and higher education institutions across the United States, was shut down by a cyberattack. Universities, colleges and school districts across the country report being affected. The attack was perpetrated by a criminal hacking group known as ShinyHunters, who gained unauthorized access to the Canvas platform and stole a significant amount of user data before attempting to extort Instructure, Canvas’s parent company and the affected schools.

This recent hack follows a previous cybersecurity incident against Instructure that took place on May 1. Although Instructure claimed that the breach had been “contained” as of May 2, personally identifying user data, including names, email addresses, student ID numbers and Canvas messages, appear to have been exposed. On May 3, ShinyHunters shared a ransom note, claiming that it breached 275 million individuals’ data across nearly 9,000 schools, and had access to “several billions of private messages.” Instructure was told they had until May 6 to reach out to the hackers, and a deadline of May 12 was given to “negotiate a settlement.” Many notable institutions also report that a ransom note was posted on the homepage of their Canvas sites.

As of May 8, 2026, Canvas is back online and normal operations are restored, though due to the timing of the breach, the hack has already impacted exam schedules and assignment deadlines at many schools and universities. After investigation, Instructure reports that the hack stemmed from the exploitation of a weakness tied to Canvas’s Free-For-Teacher accounts. The Free-For-Teacher accounts have been temporarily shut down in the wake of the attack. Institutions should be aware that they may need to contact their cyber insurance carriers and may have other legal notice obligations. We will know more as more information is revealed from Canvas.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Amber Lawyer
Amber Lawyer
Photo of Jessica Copeland
Jessica Copeland
Photo of Shannon Knapp
Shannon Knapp
Photo of Courtney Ryan
Courtney Ryan
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More