In late April and early May 2026, Canvas, the cloud-based learning management system used by more than 30 million active users worldwide, was hit by two major data breaches orchestrated by the cybercrime group ShinyHunters. The timing was almost as bad as it could have been: the attacks struck during final exam season, disrupting students and professors at thousands of institutions across multiple continents.
If you are a student, a parent of a student, a professor, or an IT administrator at any institution that uses Canvas, this guide explains exactly what happened, which universities have been confirmed as affected, what data was stolen, and the steps you should take right now to protect yourself.
What Happened
On 25 April 2026, unauthorised actors gained access to Canvas systems operated by parent company Instructure. Four days later, on 29 April, Instructure detected the intrusion, revoked the unauthorised access, and engaged third-party forensic experts to assess the scope of the breach. The company disclosed the incident publicly on 1 May.
Then, on 7 May 2026, ShinyHunters struck again. In a dramatic escalation, the group replaced Canvas course content with ransom notes visible to every user logged into the platform, demanding payment to prevent the release of stolen data. The outage brought Canvas offline during active exam periods, forcing professors to scramble for alternative ways to share materials and prompting several universities, including Pennsylvania State University, to cancel scheduled exams outright.
By 8 May, Canvas was restored. Instructure reported the platform was safe to use, while continuing to investigate the full scope of the breach.
The two-breach pattern is unusual and worth flagging. Most large platform breaches involve a single intrusion followed by negotiation. The Canvas case involved an initial breach, a remediation, and then a separate, more aggressive follow-up attack just over a week later. Security researchers have suggested this may indicate that the group retained or sold access credentials before the first intrusion was fully contained, but Instructure has not publicly confirmed the mechanism.
Which Universities Were Affected
The breach was global in scope. ShinyHunters claimed that nearly 9,000 schools worldwide were affected, although the full scale of the impact has not been independently verified at the time of writing.
United States: Harvard University, Columbia University, Rutgers University, Princeton University, Georgetown University, Kent State University, the University of Oklahoma, the University of Pennsylvania, the University of Washington, multiple University of California campuses, and Pennsylvania State University.
International: In Hong Kong, five institutions including the Hong Kong Polytechnic University (where roughly 42,000 students and staff were reported affected) confirmed involvement. In the Netherlands, the University of Amsterdam was named among 44 Dutch educational institutions affected. In New Zealand, the University of Auckland, Auckland University of Technology, and Victoria University of Wellington all confirmed they were impacted. Several institutions in Australia, Singapore, and Canada have issued precautionary notices.
If your institution is not on this list, that does not mean you were unaffected. Many institutions are still investigating and may notify students in the coming weeks. The conservative assumption for any Canvas user during this period is that some of your data may have been exposed.
What Data Was Stolen
Instructure has confirmed that the breach involved personal identifying information of the kind that is commonly found in campus directories. Specifically, this includes:
- Names
- Email addresses
- Student ID numbers
- Private messages sent within the Canvas platform
Importantly, Instructure stated there is no evidence that passwords, dates of birth, government identifiers (such as Social Security numbers or national ID numbers), or financial information were involved in either breach.
That said, the data that was exposed is more than enough to enable targeted phishing campaigns. Knowing a student’s full name, their university, their student ID number, and the content of recent academic communications gives a scammer the raw material to construct a highly convincing impersonation of a professor, a financial aid office, or a registrar.
Who Are ShinyHunters
ShinyHunters is a prolific criminal extortion group with a long history of targeting technology and education platforms. The group has previously been linked to data breaches affecting major social media platforms, telecommunications providers, and several other large consumer technology services.
The group’s operating model is straightforward: gain access, exfiltrate data, then extort the victim with the threat of public release. Payment demands are typically denominated in cryptocurrency and routed through a layered set of mixers and exchanges that make recovery difficult.
Following the second breach, ShinyHunters posted a ransom note threatening to release all stolen data unless schools negotiated a settlement by 12 May 2026. Whether any institutions ultimately paid is not publicly known, although the security community has noted that paying ransoms rarely prevents data from being released regardless.
What Should Students and Staff Do Right Now
Whether or not your institution appears on the confirmed list, the following steps are worth taking immediately. They cost nothing, take less than thirty minutes in total, and meaningfully reduce your exposure.
Change Your Canvas Password Now
Even though Instructure reports no evidence that passwords were directly stolen, any time a data breach occurs on a platform you use, it is good practice to update credentials on the affected platform. Choose a strong, unique password that you do not use anywhere else.
Change Passwords on Other Sites Where You Reused Credentials
Data from breaches is frequently used in credential-stuffing attacks against unrelated platforms. If your Canvas password is the same as your password on email, banking, social media, or other accounts, change those too. This is the single most important action on the list.
Start Using a Password Manager
A password manager generates long, random, unique passwords for every login and stores them securely. This breaks the credential-stuffing attack pattern permanently. Most reputable password managers offer free tiers that are more than adequate for student use.
Enable Multi-Factor Authentication
Turn on MFA on your Canvas account, your university email, and any other account that supports it. Your university email is particularly important because it is often used for password resets on other services. If an attacker can access your email, they can often reset passwords on everything connected to it.
Use an authenticator app rather than SMS-based MFA where the choice is available, because SMS codes can be intercepted through SIM-swap attacks.
Be Alert to Phishing Attempts
With your name, email address, student ID number, and recent communication patterns potentially exposed, scammers now have enough information to craft convincing targeted phishing messages. These will impersonate your university administration, your professors, the financial aid office, the registrar, IT helpdesk, or campus security. Expect them. Be sceptical of any unexpected message demanding immediate action.
Specific red flags to watch for
- Emails requesting that you log in to “verify your Canvas account” via a link in the message
- Texts or calls claiming there is an issue with your tuition payment that needs immediate resolution
- Messages from “your professor” with attached “exam materials” or “grade revisions” that you were not expecting
- Offers of scholarship money or financial aid that require you to provide bank details to receive
If you receive a suspicious call, text, or email, do not respond directly. Use another method to verify that the request is authentic. Call your professor on the number listed in the official faculty directory, not the one in the suspicious message. Log in to Canvas by typing the URL into your browser, not by clicking a link.
Monitor Your Accounts
While financial information was not reportedly exposed in the Canvas breach, keeping a close eye on bank and credit accounts for unusual activity is always prudent following any breach of personal data. Most banks let you set up alerts for transactions above a defined threshold. Turn those on if you have not already.
Update Your Recovery Information
While you are checking account security, update the recovery email and phone number on your most important accounts. Make sure they point to a current, secure address and number that only you control.
What Institutions Should Do
For IT teams and administrators at institutions that use Canvas or any other major LMS, the practical takeaways are:
- Conduct an audit of your Canvas integrations and access patterns. Limit the data shared with Canvas to the minimum necessary.
- Review SSO and identity provider configurations. Ensure that compromise of the LMS cannot cascade into broader access to institutional systems.
- Communicate clearly and quickly with students. Vague, delayed notifications damage institutional trust more than the breach itself does.
- Review your incident response plan and run a tabletop exercise. The Canvas breach is a reminder that third-party platform compromise is one of the most likely incident scenarios facing higher education in 2026.
- Verify that critical academic data (grades, transcripts, course materials) has secure independent backups outside the LMS.
The Broader Lesson
Colleges and universities have historically been among the softer targets in the cybersecurity landscape. They hold vast amounts of valuable intellectual property alongside large volumes of sensitive personal information, often operating on decentralised, relatively open networks with constrained IT security resources. In the last 20 years, American educational institutions alone have experienced more than 3,100 data breaches.
The Canvas breach of 2026 is a reminder that the tools students and professors rely on every day are not immune to sophisticated criminal attacks. It is also a reminder that the responsibility for protecting student data does not stop at the institution’s network perimeter. Every vendor in the institutional technology stack, including learning platforms, video conferencing tools, student information systems, payment processors, and library systems, is a potential point of compromise.
For students, the practical takeaway is unchanged from every previous breach: use unique passwords managed by a password manager, enable multi-factor authentication everywhere it is offered, and be sceptical of unexpected communications that demand urgent action. These habits cost very little and protect you against the vast majority of follow-on attacks that breaches like the Canvas one make possible.
The Bottom Line
The Canvas breach affected potentially millions of students and staff across thousands of institutions worldwide. The data exposed is limited but meaningful, and the most likely real-world consequence for affected students is a wave of targeted phishing attempts in the coming weeks and months. Taking thirty minutes today to update passwords, enable MFA, and start using a password manager is the highest-leverage thing any affected user can do.
Frequently Asked Questions
Which universities were affected by the Canvas data breach in 2026?
Among the confirmed institutions: Harvard, Columbia, Princeton, Rutgers, Georgetown, Penn State, the University of Pennsylvania, the University of Washington, multiple UC campuses, the University of Oklahoma, and many international schools including institutions in Hong Kong, the Netherlands, and New Zealand. ShinyHunters claimed nearly 9,000 schools worldwide were affected, although the full scope has not been independently verified.
What data was stolen in the Canvas breach?
Instructure has confirmed that names, email addresses, student ID numbers, and private messages within the Canvas platform were involved. The company stated there is no evidence that passwords, dates of birth, government IDs, or financial information were compromised.
Who was behind the Canvas hack?
The cybercrime group ShinyHunters claimed responsibility for both the 29 April and 7 May 2026 breaches. The group has a long history of targeting technology and education platforms.
Is Canvas safe to use now?
Instructure reported that Canvas was restored and safe to use as of 8 May 2026. However, students and staff are strongly advised to update passwords and enable multi-factor authentication as a precaution.
What should students do if their university was affected by the Canvas breach?
Change your Canvas password immediately, change passwords on any other sites where you reused the same credentials, enable multi-factor authentication on your university email and other important accounts, start using a password manager, and be alert to phishing emails impersonating your university.
Will paying the ransom prevent stolen Canvas data from being released?
Historically, paying ransom rarely prevents stolen data from being released. Even when a payment is made, criminal groups frequently release data anyway, sell it to other criminals, or come back for additional demands.
