Instructure data breach exposes student data from Canvas LMS; ShinyHunters claims 275M affected

Education technology company Instructure, developer of the Canvas learning management system used by thousands of institutions, confirmed a cybersecurity incident on May 1, 2026, in which attackers accessed names, email addresses, student ID numbers, and user messages. The ShinyHunters extortion group claimed responsibility on May 3, stating they exfiltrated 3.65 terabytes of data affecting nearly 9,000 educational institutions and up to 275 million students, teachers, and staff, including billions of private messages. Instructure stated there is no evidence that passwords, dates of birth, government identifiers, or financial information were exposed, and claimed the incident was contained by May 2. TechCrunch reviewed a sample of stolen data from two US schools (Massachusetts and Tennessee) confirming the exposure of messages with names, emails, and phone numbers. Instructure's platforms also include Mastery (assessment) and Parchment (record management).