What Happened
Instructure, the company behind the Canvas learning management system, confirmed on May 1, 2026 that it suffered a cybersecurity incident in which ShinyHunters claims to have exfiltrated 3.65 terabytes of data. The threat group alleges the data covers approximately 275 million users across nearly 9,000 educational institutions worldwide.
According to Instructure’s disclosure and independent analysis, the compromised data includes names, email addresses, student ID numbers, and private messages between students, teachers, and administrators. Instructure states it has found no evidence that passwords, dates of birth, government identifiers, or financial information were accessed. The company deployed patches, increased monitoring, and rotated all application API keys, requiring customers to re-authorize third-party integrations.
The breach was largely contained by May 3, 2026 when access to the Canvas Data 2 analytics platform was restored. ShinyHunters has previously claimed responsibility for major breaches at Canada Life, Medtronic, Carnival Corporation, and Anodot, establishing a pattern of high-volume data exfiltration followed by ransom demands.
Why This Matters for Canadian Organizations
Canvas is one of the most widely deployed learning management systems in Canada. Post-secondary institutions including major universities and colleges across British Columbia, Ontario, Alberta, and Quebec run Canvas as their primary course delivery and student communication platform. Thousands of K-12 boards use Canvas for digital learning.
The private messaging functionality is significant. In a school context, those messages include sensitive communications between students and counsellors, accommodations discussions, and academic integrity conversations. Under PIPEDA and provincial education privacy legislation — including FIPPA in British Columbia and Ontario’s Education Act — educational institutions are required to protect student personal information held by service providers. A breach of a third-party SaaS provider does not relieve the institution of accountability obligations.
Canadian institutions should verify whether their specific deployment is among the affected accounts by contacting Instructure directly. They should also check whether any third-party integrations — such as proctoring software, accessibility tools, or analytics platforms — previously authorized via Canvas API keys were revoked and re-issued after the breach. Leaked API keys represent a secondary credential exposure risk even if student data itself was limited.
What to Do
Re-authorize all Canvas Data 2 and LTI integrations using newly rotated API keys. Notify affected students and staff as required under your institution’s privacy obligations and provincial legislation. If your institution’s data was confirmed as part of the breach, consult with your privacy officer on whether a PIPEDA breach report to the Office of the Privacy Commissioner is warranted. Students and staff should treat any unusual communications appearing to come from Canvas accounts with heightened scrutiny, as exposed private messages and email addresses create a social engineering risk.
Read the full Instructure disclosure via BleepingComputer and SecurityWeek.
