The Canvas Data Breach: What Happened and How to Protect Your Information

If your kid uses Canvas for school, if you teach a class through Canvas, or if you log in to Canvas as a student or staff member at a college, you have probably already heard the news. The platform went into "maintenance mode" on May 7. The reason is that Instructure, the company that runs Canvas, was hit with a major data breach. For schools and businesses that depend on hosted platforms, this is also a reminder to review how cloud services are configured and monitored.

I have been getting calls and texts about this since yesterday from parents in Salinas, Monterey, and Watsonville, plus a few clients whose own employees use Canvas through community college programs. The questions are all the same: what was actually stolen, how bad is it, and what should I do today.

Here is the plain-talk version, with no fearmongering and no "the sky is falling." Just the facts and the steps that actually matter.

What actually happened

A criminal extortion group called ShinyHunters claims they stole roughly 3.65 terabytes of data from Instructure, the parent company of the Canvas learning management system. They say it covers around 275 million records and roughly 9,000 schools worldwide. They posted a ransom note on a dark web leak site giving Instructure until May 12 to "negotiate a settlement" or they will publish the data.

On May 7, Instructure put Canvas, Canvas Beta, and Canvas Test into maintenance mode while they investigate. That is why students at the University of Pennsylvania, Duke, Harvard, Wake County schools, OU, and a long list of California districts and Cal State campuses suddenly could not get to their assignments during finals week. The outage is the visible part. The data is the actual problem.

The full scope is not independently verified yet. The 9,000-schools number comes from the attackers, not from Instructure. But based on the institutions that have already confirmed they were affected, this is going to land as one of the largest education-sector breaches in recent memory.

What the attackers got

Based on what Instructure has disclosed and what has shown up on the leak site so far, the exposed data includes:

• Full names of students, teachers, and staff.
• Email addresses, including school-issued addresses and personal ones tied to the account.
• Student ID numbers as assigned by the institution.
• Messages sent inside Canvas. This is the one that bothers me most: years of student-teacher conversations, group chats, and private notes. ShinyHunters specifically threatened to release "billions of private messages between students and teachers" if the ransom is not paid.
• Course enrollment data showing what classes a person took or taught.

What the attackers did not get (so far)

This is the part I want everyone to read carefully, because most of the panic going around the parent group chats is about things that were never in the data set in the first place.

• No Social Security numbers. Canvas does not store them. They were not in the dump.
• No passwords. Most schools log in to Canvas through their university or district single sign-on. The breach hit Instructure's databases, not those identity providers, so your Canvas password is not the issue here.
• No financial information. No credit cards, no bank accounts, no tuition payment data.
• No dates of birth or government IDs in what has been disclosed so far.

If that holds, the practical risk to most affected users is not identity theft in the classic sense. The risk is targeted phishing, fraud, and impersonation built on top of the names, emails, IDs, and message contents that did get out.

What this actually puts you at risk for

Three things, in order.

1. Highly convincing phishing

The attackers (or whoever buys the data after they release it) now have a list of names, school email addresses, the schools those people attend, the courses they were enrolled in, and the names of professors and teachers they actually talked to. Expect emails and texts that look like they come from a specific professor, a specific TA, a specific course, with a link to "your final grade," "your scholarship application," or "your transcript." The detail will be unusually right. That is what the messages were stolen for.

2. Account takeover on other services

The Canvas password is fine. The email address tied to the account is now public. If that email is reused on other sites, and any of those sites had a breach, attackers can stuff those credentials into your Canvas-tied email and try to take it over. Email is the master key to most of someone's digital life. Defending it is the highest-value thing you can do this week.

3. Impersonation and "smishing" of family members

This is the one parents miss. If your kid's school email and name are out, scam texts to mom and dad now have a believable hook. "Hi mom this is Sarah, I am locked out of my Canvas account, I need you to send me a code." With enough breach data, an attacker can do that without ever talking to your kid.

What to do this week

Practical, in priority order. Most of this is free.

1. Turn on multi-factor authentication on the email tied to your Canvas account. If you use Gmail, log in, go to Security, turn on 2-Step Verification with the Google Authenticator app. If you use Outlook or Microsoft 365, do the same with the Microsoft Authenticator. Do not use SMS as your only second factor; SMS gets sim-swapped. This is the single highest-leverage thing on this list.
2. Change your password on any site where you reused that email's password. If you have ever typed the same password into Canvas, your email, Netflix, and a random forum, fix it now. Use a password manager (Bitwarden has a free tier, 1Password is the paid pick) and let it generate unique passwords for every site.
3. Tell your family the rule. No one in the family sends a code, password, or money based on a text or DM, ever, without calling the person on a known phone number first. If your kid is in college, agree on a code word right now that has to be spoken on the phone before money moves. This is the cheapest and most effective scam defense in existence.
4. Get suspicious of "Canvas" emails for the next 60 days. Real Canvas notifications come from your school's domain or instructure.com. If a message asks you to click a link to "restore your account," "verify your data," or "claim a refund," it is almost certainly fake. Open Canvas by typing the URL yourself.
5. Watch the school's official communications. Don't trust forwarded screenshots in group chats. Go to the school's actual website or sign in to your student/parent portal directly. Many schools will offer free credit monitoring; sign up if it is offered, even though SSNs were not in the breach. It costs nothing and the monitoring catches future weirdness.
6. If you are a teacher or administrator, scan your Canvas messages for sensitive content. Anything you wrote in a Canvas DM about a student's mental health, accommodations, family situation, or grades may be in the dump. Your school's privacy office and counsel need to know which conversations were sensitive so they can decide whether individual notification is required.

What schools and districts need to do

If you run IT or compliance for a school, district, or campus, you have a different list. If your internal team is already stretched thin, a managed IT services partner can help turn the checklist into repeatable operations. Briefly:

• Confirm with Instructure in writing whether your tenant data was in the affected set, and ask for the indicators of compromise.
• Force a password reset for every account that has a local Canvas password (not SSO-only). It is precaution, not strict necessity, but the optics of skipping it are bad.
• Audit Canvas API tokens and third-party LTI integrations. Revoke anything that has not been used in 90 days. Rotate any credentials shared with third-party tools.
• Enable, or verify, MFA on every Canvas admin account and on the underlying identity provider.
• Send a clear, calm communication to staff, parents, and students within 72 hours. Tell them what was and was not exposed, what you are doing, and what you want them to do. Vagueness here breeds the rumor mill, and the rumor mill is what scammers love.
• Get your incident response and breach-notification clock started. Depending on the state, FERPA and student privacy laws may require formal notification within a specific window. California schools should be talking to counsel about Civ. Code 1798.29 obligations.

The lesson for any business that uses cloud platforms

Canvas is not the only software-as-a-service platform that holds a giant pool of data about you. If you run a small business, you almost certainly have a Microsoft 365 tenant, a CRM, a payroll provider, a file-sharing service, and a handful of other vendors that each hold a different slice of what someone needs to impersonate you. Any one of them can have a Canvas-style Tuesday. The Canvas breach is a useful reminder of three things I keep saying to clients:

• Your vendors' security is part of your security. You inherited their controls when you bought their service. If they get breached, your data goes with them. Pick vendors who can answer security questions in writing.
• MFA on the email account is the single most important control in your business. Every other defense gets weaker if attackers can read your inbox.
• Assume your name and email are already in a dump somewhere. Plan for the phishing that follows. Train people on it. Pay for a phishing simulation tool. The Canvas data will be combined with three other breaches and used against your team within a year. That is not paranoid; that is the pattern.

If you have read this far and want a second pair of eyes on whether your small business in California has the basics in place, that is what our free cybersecurity assessment is for. 30 minutes, written list of what to fix first, no sales script. We can also help schools and districts in our service area with incident response, post-breach hardening, and backup and disaster recovery planning; just get in touch and we will move fast.

For more on the controls that actually stop this kind of thing, see how ransomware actually gets in in 2026 and the cybersecurity mistakes I see in almost every small business.