Major Canvas Hack Exposes 275 Million Students’ Personal Data

ShinyHunters breached Instructure’s learning platform, affecting 8,800+ schools including UPenn, Harvard and UT Austin

May 8, 2026

2 min read

Key Takeaways

ShinyHunters breached Canvas, exposing 275 million students’ personal data across 8,800 schools
Hackers defaced university login pages with ransom demands, disrupting major institutions nationwide
Stolen information includes names, emails, student IDs, and private professor messages

Panic spreads across university IT departments this week after hackers stole personal information from 275 million Canvas users—including students’ names, emails, student IDs, and private messages with professors. The ShinyHunters ransomware group didn’t just breach Instructure’s learning management system; they defaced login pages at major universities with ransom demands, turning familiar portals into digital billboards for extortion.

Students’ Canvas accounts contain more sensitive data than most families realize.

Your student’s Canvas account likely contains more sensitive data than you realize. While ShinyHunters didn’t access passwords or financial information, they harvested:

Names
Email addresses
Student ID numbers
Messages between users across 8,800 schools and universities

Think of it as someone rifling through your digital backpack—not your wallet, but everything else inside.

Major universities experienced widespread service disruptions and data exposure.

The breach hit heavy hitters hard. University of Pennsylvania saw 306,000 affiliates affected before Canvas went dark on May 7. Harvard posted maintenance messages while Utah enhanced monitoring protocols. Virginia, Rutgers, and UT Austin all reported impacts, though most kept Canvas running with heightened security.

Instructure’s response efforts may prove inadequate against persistent threat actors.

According to Instructure CISO Steve Proud, “Staff are working to determine full scope and minimize impact,” but ShinyHunters claimed the patches weren’t enough, threatening to leak everything by May 12. Instructure revoked privileged credentials, deployed security patches, and engaged forensic experts—standard breach protocol that feels inadequate against a group this brazen. Law firms like Stueve Siegel Hanson are already investigating class-action claims, sensing blood in the digital water.

This breach exposes a brutal truth about edtech dependency. Canvas handles coursework for over 30 million users because schools moved fast and broke things during COVID’s digital scramble. Now families pay the privacy price for convenience, watching personal academic data become ransomware currency. Monitor students’ accounts for suspicious activity, but don’t expect this to be the last wake-up call. Digital learning platforms store intimate details about young lives—and hackers know it.

Share this

You Might Also Like_

Our Editorial Process

At Gadget Review, our guides, reviews, and news are driven by thorough human expertise and use our Trust Rating system and the True Score. AI assists in refining our editorial process, ensuring that every article is engaging, clear and succinct. See how we write our content here →

Join over 100k Readers

Join 100,000+ readers discovering the coolest gadgets, smart buying guides, and the tech news that actually matters.

LATEST Lists_

Why Trust Gadget Review

With over 25 years of experience, our editorial process is built on human expertise, ensuring that every article is reliable and trustworthy. AI helps us shape our content to be as succinct and engaging as possible.

Learn more about our commitment to integrity in our Code of Ethics.