Hackers don't need your password to ruin your semester—the Canvas breach proves it

Educational platforms are one of the most reliably exploited targets in the ransomware landscape. It's not about financial data. It's about something far more dangerous: institutional trust.

Millions of students and faculty are conditioned to respond immediately to urgent messages from their school. That's the vulnerability. And in May 2026, a ransomware group called ShinyHunters knew exactly how to use it.

Their target was Instructure's Canvas, the learning management platform quietly running the academic lives of millions of students across the country. The timing was surgical—mid-finals, when disruption hits hardest and pressure to pay is highest. As the dust settles, coursework is in chaos and a massive trove of personal and academic data has walked out the door.

Key takeaways

• Who was affected: Students, faculty, and staff across thousands of K–12 schools and higher education institutions globally that use Canvas as their primary learning management system
• What was stolen: Usernames, email addresses, student ID numbers, course names, enrollment information, and private messages sent through the Canvas platform
• What was NOT compromised (per Instructure): Passwords, Social Security numbers, dates of birth, financial information, and submitted coursework or academic credentials
• How the attack worked: ShinyHunters exploited a vulnerability in Instructure's Free-For-Teacher accounts—first gaining access on April 29, 2026, then returning through a second vulnerability on May 7, 2026
• Current status: Canvas is fully operational; Instructure reached a ransom agreement and received digital confirmation that data was destroyed—though security professionals caution that no such guarantee is enforceable

Ransomware groups are shifting to educational targets

Ransomware groups aren't going after the most fortified targets anymore. They're going after the most useful ones.

In 2025 alone, 251 ransomware attacks hit educational institutions globally, resulting in 3.9 million records exposed—a 27% increase over the previous year.¹

The pattern is clear: hackers are moving away from enterprises with mature security postures and toward institutions that are data-rich, trust-dependent, and historically under-protected.

Education fits that profile precisely. Universities and K–12 networks hold years of personal records, communicate constantly via email and platform notifications, and operate in environments where students and faculty are conditioned to act on urgent institutional messages.

Why hackers target schools

• Maximum leverage: Schools run on data—grades, enrollment records, payroll—and when that data is locked, everything grinds to a halt. Administrators face an impossible choice: pay up or keep thousands of students and staff in limbo indefinitely.
  
• A goldmine of personal information: Few databases are as rich with sensitive data as those held by schools. Social Security numbers, birthdates, financial aid records... it's essentially everything an identity thief needs, all in one place. 

What information was exposed in the Canvas data breach

Based on Instructure's confirmed disclosures as of May 20, 2026, exposed data includes:²

• Usernames
• Email addresses (institutional and personal)
• Student ID numbers
• Course names and enrollment records
• Private messages sent through Canvas (including student-to-student and student-to-faculty communications)

Per Instructure, the following information is confirmed to NOT be exposed:²

• Passwords
• Social Security numbers
• Dates of birth
• Financial information
• Submitted coursework, grades, or academic credentials

Instructure has stated that its forensic investigation is ongoing and that Canvas administrators will receive preliminary findings about specific data fields.² The full scope of the exposure has not yet been confirmed.

The stolen data isn't just sensitive: it's a phishing kit

The data exfiltrated in the Canvas breach—names, school email addresses, course enrollments, and private Canvas messages—doesn't look dangerous on paper. No passwords. No financial data. No Social Security numbers.

But that's the wrong way to think about it.

The real risk is context. A phishing message that correctly names your professor, references the course you're enrolled in, and quotes a conversation you actually had through Canvas won't look like spam.

It will look exactly like something your institution sent you. That combination of data creates extraordinarily convincing social engineering material—and it's already being used.

The FTC has issued a consumer alert confirming that scammers are actively exploiting the breach, sending fake messages impersonating schools and Canvas support.³ That secondary fraud wave is now in motion.

ShinyHunters came back

This wasn't a one-and-done opportunistic scan. Instructure confirmed a second intrusion attempt on May 7—just days after the first was contained—through a separate, previously undisclosed vulnerability.²

That persistence matters. It signals targeted, deliberate exploitation, not a lucky hit. ShinyHunters had significant foreknowledge of how Instructure's infrastructure looked. They came prepared, and when the first door closed, they found another.

On the ransom "resolution": don't read too much into it

Instructure confirmed it reached an agreement with the attackers and received "digital confirmation" (described as shred logs) that the stolen data was destroyed.

This should not be read as a guarantee.

ShinyHunters is a well-documented threat actor with a history of claiming data destruction while retaining or monetizing exfiltrated files. The absence of a public data release is not evidence of deletion.

Anyone whose data was caught in this breach should operate under the assumption that their information is still out there—and stay alert for suspicious communications that appear to come from their school.

What to do after the Canvas hack

The data exposed in this breach creates a specific threat profile: targeted social engineering, not direct account compromise. That distinction should drive how you prioritize your response.

1. Treat unexpected school and Canvas messages as suspect, regardless of how legitimate they look.

This is the highest-priority action because it is where the stolen data will be weaponized first. Scammers now have enough context to construct messages that reference your real courses, real teachers, and real institutional relationships.

The FTC has specifically warned this is already happening.³ If a message asks you to verify your account, reset a credential, or take urgent action—go directly to your institution's official website or call the help desk. Do not use contact information provided in the message itself.

2. Change your Canvas and student account passwords, even though passwords were reportedly not stolen.

Reused passwords are the most common way a "safe" breach becomes a serious incident. If your Canvas email or username appears on the dark web in any other breach dataset (and many do), attackers will attempt credential stuffing against your other accounts.

Make this password unique, 16+ characters, and store it in a password manager. You can also run a dark web scan on OmniWatch to see which other companies leaked your personal data.

3. Enable multi-factor authentication on every account connected to your school email.

Your school email is the recovery address for every platform linked to your academic identity—financial aid portals, housing applications, scholarship systems, and student loan services. If a scammer can access that inbox, they can reach all of them. MFA is your containment layer.

4. Review your Canvas message history and flag anything sensitive.

Because private messages were in scope, think about what you may have discussed in those conversations: medical accommodations, financial circumstances, family situations. That information can be used to build targeted pretexts. Knowing what was potentially exposed helps you anticipate the specific form an attack against you might take.

5. Consider placing a credit freeze, even though SSNs were not reported stolen. Breached names and institutional email addresses are frequently cross-referenced against other leaked datasets to reconstruct more complete identity profiles.

Report identity theft to the FTC at ReportFraud.ftc.gov.

Don't let a data breach follow you into the future

OmniWatch detects when your personal information has been compromised in a breach, including your SSN, and email and password combinations that could lead to long-term identity issues—and alerts you in real time when your information surfaces in data leaks or on the dark web.

If you become the victim of identity theft, you're backed by up to $4 million in coverage and 24/7 U.S.-based restoration specialists ready to help you recover.

Disclaimer: Coverage limits, eligibility, and restoration availability vary by plan and region.

This article is published by OmniWatch. Follow OmniWatch on Facebook for ongoing guidance on identity protection, digital safety, and scam awareness.

Sources

1. Jon Clay. "U.S. Public Sector Under Siege: Threat Intelligence for Q1 2026." TrendMicro.com, June 1, 2026. https://www.trendmicro.com/en_us/research/26/d/us-public-sector-under-siege.html
2. Instructure. "Security Incident Update & FAQs." Instructure.com, updated May 20, 2026. https://www.instructure.com/incident_update
3. Federal Trade Commission. "What to Know After the Canvas Cyberattack." FTC Consumer Alerts, May 2026. https://consumer.ftc.gov/consumer-alerts/2026/05/what-know-after-canvas-cyberattack
4. National Cybersecurity Alliance. "Canvas Data Breach: What Students, Parents, and Faculty Need to Know." Stay Safe Online, May 26, 2026. https://www.staysafeonline.org/articles/canvas-data-breach