Follow us:

Knowledge Hub

The Canvas Data Breach: What It Means for Students, Educators, and You

All posts
  • By Brandon Mack
  • Published May 9, 2026
  • Updated May 12, 2026

The Canvas Data Breach: What It Means for Students, Educators, and You

If you or someone you know uses Canvas, the online learning platform used by universities including University of Saskatchewan, colleges, and K–12 schools across North America, your personal data may have been compromised. This week, a major cyberattack on Instructure, the company behind Canvas, sent shockwaves through the education community. Here’s what happened, what it means for you, and what you can do right now to protect yourself.

What Happened?

On May 7, 2026, Canvas, one of the most widely used learning management systems in the world, went offline after a criminal extortion group known as ShinyHunters claimed responsibility for a massive data breach. The platform, which is used by roughly 41% of all higher education institutions in North America and millions of K–12 students, was suddenly inaccessible with a warning from the attackers, leaving students mid-exam, unable to submit assignments, and locked out of course materials during finals week.

You can view the warning below. We recommend you don’t visit the URLs in the image unless you are have experience in cybersecurity to protect yourself. We have acquired a copy of the list mentioned and you can download this from us by clicking the button found further down this post.

The Canvas data breach screenshot

ShinyHunters isn’t a new name in cybercrime. This is the same group linked to the massive Ticketmaster data breach in 2024 and several other high-profile attacks. In this case, the group claims to have exploited vulnerabilities in Instructure’s “Free-For-Teacher” accounts to gain access to the platform’s cloud environment. Instructure has confirmed the attack originated there and has since shut those accounts down.

The scale of what ShinyHunters claims to have stolen is staggering:

  • 275 million records tied to students, teachers, and staff
  • 3.65 terabytes of data exfiltrated from the platform
  • Roughly 9,000 schools, school districts, universities, and education platforms affected worldwide
  • Billions of private messages between students, teachers, and staff

The group set a ransom deadline of May 12, 2026, threatening to publicly release all stolen data if their demands are not met. As of publishing this post, the investigation is still ongoing and the full scope of the breach has not yet been independently confirmed.

Who Was Affected? (Saskatchewan Institutions On The List)

ShinyHunters released a list of nearly 9,000 schools, universities, and education platforms they claim were affected by the breach.

For those of us here in Saskatchewan, two institutions appear on that list: the University of Saskatchewan and Metis Nation Saskatchewan.

If you are a student, staff member, or educator connected to either of these institutions through Canvas, you should assume your data may have been compromised and take the protective steps outlined below immediately. It’s worth noting that inclusion on this list does not necessarily mean data was confirmed stolen, the full scope of the breach is still being investigated, but it does mean your institution was identified as a potential target, and caution is warranted.

If you are curious of the scope of this attack, using the button below you can download a copy of list we acquired before it disappeared. This is just a simple text file and won’t cause any harm if you download it.

Released List Affected By The Attack

What Data Was Taken?

Instructure has confirmed that exposed data includes:

  • Full names
  • Institutional email addresses
  • Student ID numbers
  • Direct messages sent between users on the platform

What Instructure says was not involved (based on current investigation):

  • Passwords
  • Dates of birth
  • Government identifiers (e.g., Social Insurance Numbers)
  • Financial information

That said, investigations like this take time, and the full picture may not be known for weeks. It’s important not to treat the absence of confirmed password theft as a reason to relax, the data that was taken is more than enough to cause serious harm.

Why Should You Take This Seriously?

You might be thinking: They didn’t get my password or SIN, how bad can it be?

Very bad, actually. Here’s why.

Your name, email address, student ID, and private messages, taken together, are a goldmine for cybercriminals. This type of information is exactly what is used to launch targeted phishing attacks, also known as spear-phishing. Unlike generic spam, spear-phishing uses real details about you to craft convincing, personalized messages designed to trick you into handing over passwords, clicking malicious links, or even transferring money.

Imagine receiving an email from what appears to be your university IT department, addressed to you by name, referencing your student ID, and asking you to reset your password due to the breach. That’s the kind of attack this stolen data enables. And because billions of private messages were reportedly stolen, bad actors may know the names of your professors, your classmates, even details of your personal conversations, making their fake messages even more believable.

Beyond phishing, stolen data like this can be used for:

  • Account takeover – using your email and known details to gain access to other accounts through password resets or social engineering
  • Identity fraud – combining your name, email, and student ID with data from other breaches to build a more complete profile
  • Credential stuffing – if you reuse passwords, attackers may try the passwords from other breaches against your accounts
  • Social engineering attacks – impersonating you, your school, or your contacts to manipulate others

What Should You Expect Now?

In the days and weeks following a breach of this scale, a few things typically happen:

  1. A surge in phishing emails. Expect emails that appear to come from Canvas, Instructure, your school, or even government agencies claiming to be related to the breach. These will try to get you to click a link, enter credentials, or provide personal information.
  2. Fake “breach notification” scams. Ironically, data breaches create perfect cover for scammers to send fake notifications. Be skeptical of any unsolicited communication asking you to “verify your account” or “update your information“.
  3. Increased targeting of younger users. Because Canvas serves K–12 students, a significant portion of those affected may be minors. Parents should be especially vigilant and have conversations with their children about what to watch for.
  4. Possible data release on the dark web. If ShinyHunters follows through on their threats (and their track record suggests they often do), the stolen data may be published or sold to other criminal actors, multiplying the number of people who could use it against you over time.
  5. Ongoing institution communications. Your university, college, or school will likely send out official notices. Refer to your school’s official website or IT department for guidance specific to your situation.

How to Protect Yourself Right Now

You can’t un-ring the bell. If your data was taken, it was taken. But you absolutely can reduce the risk of it being used against you. Here’s what to do:

Change Your Canvas Password (And Any Reused Passwords)

Even though Instructure says passwords weren’t directly compromised, it’s a good idea to change your Canvas password now (if you aren’t set up as single sign-on through your institute). More importantly, if you use the same password on other accounts, change those too. Password reuse is one of the biggest ways a single breach cascades into multiple account takeovers.

Enable Multi-Factor Authentication (MFA) Everywhere You Can

MFA requires a second form of verification (like a code texted to your phone) in addition to your password. Even if someone gets your password, they can’t get in without that second factor. Turn this on for your email, your school account, your banking apps, everywhere it’s available.

Be Extremely Skeptical of Emails and Messages

Do not click links in emails about the Canvas breach. If you want to check on your account, type the URL directly into your browser. Your school, Canvas, and Instructure will never ask you to provide your password via email. If something feels off, it probably is.

Red flags to watch for:

  • Urgency (“Act now or your account will be closed!“)
  • Requests for personal information or passwords
  • Links that look similar to real sites but aren’t quite right (e.g. canvas-login.com)
  • Messages referencing your student ID or name that you didn’t expect

Monitor Your Email Account Closely

Your email is the master key to your digital life, most password resets go through it. Check for any login activity you don’t recognize and ensure your email recovery options (like a backup phone number) are up to date.

Watch for Signs of Identity Fraud

Keep an eye on any accounts linked to your school email. If you notice unusual activity, password reset emails you didn’t request, accounts you don’t recognize, or unexpected login attempts, take action immediately.

Warn Your Kids and Students

If you’re a parent or educator, talk to the young people in your life about this breach. Teach them not to click suspicious links, not to share their passwords, and to come to a trusted adult if they receive something that makes them uncomfortable.

Report Suspicious Activity

If you receive what you believe is a phishing attempt related to the Canvas breach, report it to your school’s IT department. You can also report phishing emails directly through your email provider.

A Word on the Bigger Picture

This breach is a stark reminder of how interconnected our digital lives have become, and how much of our personal data lives in systems we don’t control. The education sector has increasingly become a target for cybercriminals precisely because institutions hold so much sensitive data on so many people, including vulnerable populations like minors.

Staying cyber-aware isn’t just for IT professionals anymore. It’s a skill every student, educator, and working professional needs to develop.

Update: Instructure Reaches Agreement

There is some cautiously good news as of May 12. Instructure announced it reached an agreement with ShinyHunters, and as part of that deal, the hackers returned the compromised data of the roughly 275 million affected users and provided digital confirmation that the data was destroyed. Instructure stated that the agreement covers all impacted customers, and that there is no need for individual customers to attempt to engage with the hackers directly.

However, cybersecurity experts are urging caution. As one cybersecurity investigator noted, there have been multiple past instances where a ransom was paid and the data was not actually deleted and Instructure has not publicly confirmed whether a ransom payment was made.

In short, while this development is encouraging, it does not guarantee your data is fully out of reach. Instructure has said it is continuing to work with expert vendors to support its forensic analysis and improve its cybersecurity posture going forward. We strongly recommend continuing to follow the protective steps outlined in this post regardless of this update, staying vigilant costs nothing, and the risk of targeted phishing and fraud from already-circulated data remains real.

Stay Informed. Stay Protected.

We believe that knowledge is your best defence. Whether it’s mastering Microsoft Office, building stronger communication skills, or navigating today’s digital world safely, we’re here to help you and your team grow.

If you’re interested in cybersecurity awareness training for your organization, our CyberSAFE course is a great option, get in touch with us. And keep checking our Knowledge Hub for practical tips to help you work smarter and safer.

Sources & Additional Reading

Post Tags

Leave a Reply

Your email address will not be published. Required fields are marked *