Canvas (Instructure) Data Breach 2026:
What You Need to Know
A cyberattack on Instructure, the US-based company behind the Canvas learning management system used by Australian universities, TAFEs, schools and government education departments, has exposed the personal data of an estimated 275 million students, teachers and staff worldwide. Here is what happened, what data was leaked, and steps you can take to protect yourself.
Your personal risk from this breach
Sign in or create a free account to see your personalised risk score.
What Happened
How the Canvas Breach Unfolded
30 April 2026
Instructure detected unauthorised access to its cloud-hosted Canvas environment. Parts of the service, including Canvas Data 2 and Canvas Beta, were taken offline as containment began. Some institutions experienced disruption to API integrations.
1 May 2026
Instructure publicly confirmed a “cybersecurity incident perpetrated by a criminal threat actor.” The company engaged outside experts and began notifying affected institutions. Instructure said the breach involved “certain identifying information of users” but stated there was no evidence that passwords, dates of birth, government identifiers or financial information were accessed.
3 May 2026
The extortion group ShinyHuntersclaimed responsibility on its leak site, alleging it had stolen 3.65 terabytes of data from approximately 9,000 institutions, including “several billions of private messages among students and teachers.” The group also claimed access to Instructure's Salesforce instance. These claims have not been independently verified.
5 to 7 May 2026
Australian universities and education departments began publicly acknowledging exposure and notifying students and staff. ShinyHunters published a list of 8,809 affected institutions across 10 countries, including Australia, the US, the UK, and several European countries.
Sources: ACS Information Age (May 2026), Inside Higher Ed (May 2026)
What Was Exposed
Personal Data Leaked in the Breach
The Canvas breach is unusual in that the most sensitive identity-fraud data (passwords, dates of birth, government identifiers, financial details) was notexposed (per Instructure's confirmed assessment). However, the combination of names, emails, student IDs, and the contents of private messages between students, teachers and parents creates significant social-engineering and phishing risk, particularly for minors and their families.
| Data Type | Risk Level | Who Was Affected |
|---|---|---|
| Full name | High | Students, teachers, parents and staff at affected institutions |
| Email address | High | All affected user accounts |
| Student ID number | Medium | Students at affected institutions |
| Private messages (student-to-teacher, student-to-student) | High | Users who exchanged messages on Canvas |
| Course information / academic context | Low | Per-institution variation |
Risk levels based on the OAIC: What is personal information? and OAIC Australian Privacy Principles. Identity-linked data combined with private-message content is rated higher because it enables highly targeted phishing using real names, real teachers, and real conversations.
✅ Confirmed NOT Exposed
Instructure confirmed there is no evidence that passwords, dates of birth, government identifiers (driver licence, passport, Medicare numbers) or financial information were accessed. This is a meaningful difference from breaches such as Optus (2022) or Latitude Financial (2023).
Company Response
What Instructure Did
“Our investigation determined that a criminal threat actor accessed certain identifying information of users at affected institutions … We have engaged outside experts and have undertaken a range of remedial actions including system patches and revoking privileged credentials.”
Actions Taken by Instructure
- Engaged external cybersecurity experts to investigate
- Patched the exploited vulnerability
- Revoked privileged credentials and reset access
- Took Canvas Data 2 and Canvas Beta offline temporarily
- Notified affected institutions and provided forensic updates
- Did not pay the ransom; ShinyHunters has threatened public release of the data
What Now?
Steps You Can Take After the Canvas Breach
The Canvas breach exposes you primarily to highly targeted phishing, not direct identity fraud. The attacker (or anyone who buys the leaked data) can compose messages that appear to come from your school, university, teacher, or child's school, referencing real names, real classes, even real prior conversations. The actions below are organised by who you are and what you should prioritise.
For Students and Staff at Affected Institutions
Your name, university or school email, and student ID may be public.
Reset your Canvas password where applicable
~5 minEnable multi-factor authentication on linked accounts
~5 minBe alert for ‘Canvas’ phishing emails
For Parents of Students at Affected Schools
Your child’s name, school email, student ID, and possibly message content with teachers may be exposed.
Verify the breach notification is genuine
~10 minTalk to your child about what messages were exchanged
Reset your child’s Canvas password and any reused passwords
~5 minBe alert for school-themed phishing
For Teachers and Education Staff
Your name, work email, and any messages you sent through Canvas may be exposed.
Watch for impersonation of you to your students or colleagues
Reset your Canvas-linked email password
~5 minReport suspected phishing through your institution’s IT team
Long-term Hygiene (across all groups)
Australian resources for breach response and identity protection.
Stay alert for targeted phishing
Not sure which of your accounts are affected?
In The Event Of discovers your accounts automatically and alerts you in real time when new breaches affect your data.
Are You Still at Risk?
The Hidden Danger: Compound Breach Exposure
The Canvas breach does not happen in isolation. Australia has experienced a sustained sequence of major breaches over the past four years. If your email also appeared in earlier Australian breaches, the combined data may give attackers a much more complete profile.
How breach data compounds
On its own, the Canvas breach exposes name, email, student ID, and possibly private message content. If your email also appeared in the Optus (2022), Medibank (2022), Latitude Financial (2023), or Qantas (2025) breaches, the combined dataset may include date of birth, address, identity documents, health records, and financial data, dramatically elevating your overall identity-fraud risk.
- Optus (2022)9.8M records: identity documents
- Medibank (2022)9.7M records: health information
- Latitude Financial (2023)14M records: identity documents
- Qantas (2025)5.7M records: name + DOB + contact details
- Canvas (2026)name, email, student ID, message content
If your email appears in two or more of these, your risk level is significantly elevated. In The Event Of can map your exposure across known Australian breaches and help you prioritise what to address first.
Frequently Asked Questions
Canvas Breach FAQ
Sources
- ACS Information Age: "Australian unis reassure victims after major hack"
- Inside Higher Ed: "PAY OR LEAK: Hackers Target Big Higher Ed Vendor"
- Malwarebytes Labs: "Millions of students’ personal data stolen in major education breach"
- Hackread: ShinyHunters’ Instructure Canvas LMS and Vimeo Breaches
- OAIC: What is personal information? (Privacy Act 1988 categories)
- OAIC: Australian Privacy Principles
Other Major Australian Data Breaches
Data from multiple breaches can be combined to increase identity fraud risk. Review these guides to understand your full exposure.
NYC Health + Hospitals Data Breach 2026
~1.8M records exposed
Australian Courts Data Breach 2026
Thousands of files records exposed
youX Data Breach 2026
~444K records exposed
Prosura Data Breach 2026
300K-500K records exposed
Booking.com Data Breach 2026
Undisclosed records exposed
McGraw Hill Data Breach 2026
13.5M records exposed
Crunchyroll Data Breach 2026
Undisclosed records exposed
Eurail Data Breach 2026
300K+ records exposed
Basic-Fit Data Breach 2026
1M records exposed
Under Armour Data Breach 2025
72M records exposed
Salesforce (ShinyHunters) Data Breach 2025
~1B records exposed
Allianz Life Data Breach 2025
2.8M records exposed
Workday Data Breach 2025
Undisclosed records exposed
Western Sydney University Data Breach 2025
10K records exposed
Genea Fertility Data Breach 2025
940K records exposed
DeepSeek Data Breach 2025
1M records exposed
Tangerine Telecom Data Breach 2024
232K records exposed
Australian Clinical Labs Data Breach 2022
223K records exposed
Qantas Data Breach 2025
5.7M records exposed
Optus Data Breach 2022
9.8M records exposed
Medibank Data Breach 2022
9.7M records exposed
Latitude Financial Data Breach 2023
14M records exposed
MyDeal (Woolworths) Data Breach 2022
2.2M records exposed
Disclaimer:This guide is provided for general informational purposes only and does not constitute legal, financial, or professional advice. The information is based on publicly available sources at the time of writing (8 May 2026) and may not reflect the most current developments. In The Event Of Pty Ltd (ABN 38 687 352 647) is not affiliated with Instructure, Inc. or any of the named educational institutions. If you believe you have been affected by this data breach, we recommend contacting the relevant authorities (IDCare, Scamwatch, your institution's IT team) and seeking professional guidance specific to your circumstances.