Instructure, operator of the Canvas learning management system, disclosed a data breach on May 7, 2026 after the extortion group ShinyHunters claimed responsibility and asserted it had stolen 275 million records. Instructure confirmed that names, email addresses, student ID numbers, and private messages between users were accessed before containment, affecting institutions that include over 7,000 universities and K-12 districts and roughly 41% of North American higher education. Canvas was placed into maintenance mode and taken offline during the incident, disrupting U.S. colleges and K-12 schools in the middle of finals period. The platform was restored after security patches were applied, though several institutions advised users to delay logging back in pending further guidance. Investigation and notifications to affected institutions are ongoing.
- 'Security patches' put student learning system back online after
- Canvas data breach rattles colleges during finals period : NPR
- Rising gas prices strain Charlotte drivers amid Iran conflict |
- Canvas cybersecurity breach impacting millions of students promp
- Developing: ShinyHunters Hacks Instructure Again; Canvas Down (1
- Canvas Online Learning Platform Disabled After Breach by Hackers