The Canvas Data Breach, Student Privacy, and What Comes Next
Mason & Perry LLP | June 1, 2026
On the morning of May 7, 2026, college students across the country logged into Canvas to access their finals-week study materials — and found a defaced login page instead. Within hours, it was clear this was no ordinary outage. ShinyHunters, the prolific cybercrime group responsible for a string of high-profile data thefts, had breached Instructure, the company behind Canvas, and claimed to have stolen 3.65 terabytes of data from approximately 275 million users across 8,809 educational institutions worldwide. By most accounts, it is the largest educational data breach in history.
What Was Taken
Instructure confirmed that the breach exposed names, email addresses, student ID numbers, and private messages exchanged among users — the everyday back-and-forth between students and professors that people reasonably assume stays within the classroom. The company said it found no evidence that passwords, Social Security numbers, dates of birth, or financial information were accessed. ShinyHunters, for its part, claimed otherwise.
That distinction matters enormously in the litigation now unfolding. Even setting aside the hacker’s claims, the category of data Instructure acknowledged losing is more sensitive than it might first appear. Private messages often contain phone numbers, home addresses, health disclosures, and personal details that students shared with instructors in the expectation of confidentiality. Student ID numbers, combined with names and email addresses, can be used to access university portals, apply for financial aid, or commit academic fraud. And the sheer scale of the breach — affecting tens of millions of users whose data was concentrated in a single vendor’s systems — created the kind of aggregated exposure that makes identity thieves particularly dangerous.
Instructure ultimately reached a ransom agreement with ShinyHunters on May 11 to prevent the full dataset from being published. The company paid. Whether that payment actually prevented distribution of the stolen data on criminal forums remains an open question.
The Legal Landscape
Class action lawsuits began appearing almost immediately. At least three federal complaints had been filed by mid-May, with more expected. The cases share a common theory: Instructure knew its systems were a high-value target, failed to implement reasonable data security measures, and caused foreseeable harm to the millions of students and educators who had no meaningful choice but to use the platform.
That last point is significant. Canvas is not a discretionary service. At many institutions, it is the only officially supported learning management system. Students cannot opt out. Employees cannot decline. When a company operates as a de facto monopoly over sensitive personal data — and then fails to protect it — the argument for legal liability is considerably stronger than in cases involving voluntary consumer services.
Federal and state data security laws provide multiple avenues for recovery. The FTC Act requires companies to maintain reasonable data security practices; internal FTC guidance has long treated the aggregation of large datasets without adequate protection as an unfair business practice. State consumer protection statutes in California, Illinois, New York, and elsewhere create parallel claims. And FERPA, the federal law governing educational records, while it does not create a private right of action on its own, informs the standard of care courts apply when evaluating a vendor’s obligations to the students whose records it handles.
What This Means for Students and Educators
For students, the immediate risk is phishing. Armed with names, email addresses, and student ID numbers, criminals can craft convincing impersonation messages — fake financial aid notices, counterfeit university IT alerts, or fabricated messages appearing to come from professors or advisors. Anyone who receives an unexpected request for login credentials, payment information, or personal details should verify it through official channels before responding.
The medium-term risk is credential stuffing and account takeover. Even if your Canvas password was not among the data stolen, criminals frequently use breached name-and-email combinations to test passwords across other platforms. If you reuse passwords — and most people do — change them now, and enable multi-factor authentication wherever it is available.
For educators, the breach raises a specific concern: private messages sent through Canvas may have carried the implicit expectation of confidentiality that is fundamental to the student-teacher relationship. The breach of that expectation is not merely a data-security problem. It is an educational one.
What You Can Do
Monitor your accounts closely. Set up alerts on your bank accounts, student loan portal, and any financial aid systems tied to your student ID. If you notice unfamiliar login attempts, report them immediately.
Be skeptical of unexpected messages. Phishing campaigns following large breaches typically begin within days. Do not click links in emails or text messages purporting to be from your university or Canvas unless you initiated the contact.
Document what you experienced. If you lost access to course materials, exam instructions, or gradebooks during the outage — particularly during finals week — make a record of it. Concrete harm, including disruption of academic standing or financial aid, may support a damages claim.
Consider whether you are a class member. If you used Canvas at any point before May 2026 at an affected institution, your data was likely in Instructure’s systems. Attorneys are actively investigating claims on behalf of students and faculty nationwide. You do not need to show identity theft or financial loss to participate in class action litigation — the breach itself may be sufficient.
Mason & Perry LLP represents individuals and groups in privacy and consumer-protection class action litigation. If you believe your data was exposed in the Canvas breach or any other incident, contact us to discuss your options.