Instructure Canvas Breach: 275 Million Student Records Compromised

Instructure Canvas Breach: 275 Million Student Records Compromised The breach On May 5, 2026, TechCrunch reported that education technology giant Instructure — maker of Canvas, the learning management system used by 8,800 schools and universities — had suffered a massive data breach. The attackers, operating as ShinyHunters, exploited a Free-for-Teacher account vulnerability — a feature designed to let educators create free teaching accounts — to gain access to the main Canvas database. Once inside, they exfiltrated 3.65 TB of data containing the personal information of 275 million students. The stolen data includes names, email addresses, course enrollments, private messages between students and teachers, grades, and institution-specific identifiers. In many cases, it also includes dates of birth and Social Security numbers linked to student accounts. The attackers went further: they defaced the login portals of approximately 330 institutions during final exam season, replacing login screens with ransom demands and messages claiming the breach. The ransom payment On May 12, The Register reported that Instructure paid an undisclosed ransom to ShinyHunters in exchange for "shred logs" — evidence that the stolen data had been destroyed. Whether data destruction actually occurred is unverifiable. The FBI has repeatedly warned that paying ransoms does not guarantee data is deleted, and stolen data often resurfaces on breach forums months later. Congressional response The House Homeland Security Committee demanded CEO testimony, calling the breach "unacceptable" given the sensitivity of student data and the number of children affected. Committee chair Bennie Thompson stated the hearing would examine not just the breach itself, but the systemic failure of data security across the education technology sector. The scale To put 275 million records in context: that is more than the entire population of the United States under age 40. If you or your children have used Canvas at any point — in K-12, higher education, or professional development — there is a reasonable chance this breach includes your data. Why ed-tech breaches hit different Student data is among the most sensitive categories of personal information. It includes: Full names and home addresses Dates of birth and Social Security numbers Academic records and disciplinary histories Special education classifications Medical information submitted to schools Behavioral and psychological assessments Unlike credit card numbers, this data cannot be changed. A child's Social Security number exposed in a breach can be used for identity theft for decades. Yet education technology companies have historically underinvested in security relative to the sensitivity of their data: FERPA, the U.S. Federal student privacy law, was last meaningfully updated in 1974 and lacks modern breach notification requirements. Many school districts lack dedicated security staff, making them dependent on vendor security practices. Ed-tech procurement often prioritizes features and price over security posture. The ShinyHunters record ShinyHunters is one of the most active breach groups targeting the education sector. Their methodology is not sophisticated — they find exposed APIs, unpatched systems, and misconfigured cloud storage. The breach playbook has been documented repeatedly. The fact that they can still access a platform used by 8,800 institutions in 2026 is an indictment of ed-tech security maturity: Wattpad (2020): 270 million records Pixlr (2021): 1.9 million records Instructure (2026): 275 million records — their largest education-sector breach to date Ongoing: Constant scanning for exposed APIs and databases across the ed-tech stack The broader context This breach is not an isolated incident. Education technology companies operate with minimal regulation and inconsistent security practices: FERPA — the federal student privacy law — was last meaningfully updated in 1974. It lacks breach notification requirements, security standards, and meaningful penalties. Instructure paid the ransom because they knew litigation costs would exceed it. The business case for security investment only works when the cost of a breach exceeds the cost of prevention. The 2026 NASCIO-Deloitte study found state CISO confidence has collapsed, with just 22% believing their data is protected from cyberthreats. What schools and parents can do For school administrators: Audit vendor security before procurement. Ask for SOC 2 Type II reports, penetration test results, and incident response plans. Minimize data collection. If a learning app doesn't need a student's home address, don't provide it. Require encryption. Data at rest and in transit should be standard, not optional. For parents: Ask what apps your school uses. Many parents don't know which third-party platforms have access to their child's data. Opt out where possible. FERPA allows parents to opt out of directory information sharing — a small but meaningful step. Monitor credit. Children are increasingly targets of identity theft because their credit histories are clean slates. The bottom line Education technology companies operate in a sector where the customers (schools) lack security expertise, the users (children) cannot consent, and the regulators (FERPA) are decades out of date. The Instructure breach is not an isolated incident. It's a predictable outcome of an industry that treats student data as a testing ground for features rather than a trust to be protected. The students whose data was exposed will graduate, enter the workforce, and apply for mortgages with breach histories stretching back to kindergarten. The companies that collected that data? They'll issue a statement, hire a PR firm, and move on. Unless regulators — and school districts — start demanding better.