The ransom deadline was May 6, 2026. Today.

If you received a course assignment through Canvas this semester, submitted a paper through it, messaged a professor about a disability accommodation, or asked a teaching assistant a question you weren’t comfortable raising in class — your name, your email address, your student ID, and the contents of those messages may now be in the hands of one of the most prolific data extortion groups operating today.

Instructure, the company that makes Canvas, confirmed on May 5 that it had suffered a cybersecurity incident affecting its cloud-hosted environment. The group claiming responsibility is ShinyHunters. Their ask: pay up, or they publish. The data they claim to hold: 3.65 terabytes. 275 million user records. 8,809 institutions. Billions of private messages.

This is the largest breach in the history of educational technology.

Who ShinyHunters Are and Why That Matters

ShinyHunters is not a minor nuisance actor. They are among the most operationally capable ransomware and data extortion groups tracked by cybersecurity researchers — responsible for the Ticketmaster breach in 2024, which exposed the personal data of over 500 million people, and a wave of breaches affecting customers of companies that stored data in Snowflake cloud environments. They have demonstrated both the technical capability to exfiltrate very large datasets and the willingness to follow through on leak threats when ransom demands go unmet.

The group posted their Instructure claim to a dark web forum on May 2, stating they had stolen 3.65 terabytes of data across nearly 9,000 institutions. They provided a list of 8,809 school districts, universities, and online education platforms to BleepingComputer as proof. The message to Instructure was blunt: “reach out by 6 May 2026 before we leak along with several annoying [digital] problems that’ll come your way.” The closing line — “make the right decision” — is the standard extortion template.

Instructure’s response has been to confirm the incident is real without confirming the full scope of ShinyHunters’ claims. That gap — between what the company will say and what the attackers claim — is where affected students and institutions are left to wait.

What Was Taken

Instructure confirmed the breach may include names, email addresses, student ID numbers, and Canvas Inbox and Discussion messages of past and current users. The company said passwords, single sign-on credentials, student assessment data, dates of birth, government identifiers, and financial information were not involved.

That list of what wasn’t taken may seem reassuring. It shouldn’t be.

The messages are the problem.

Canvas Inbox and Discussion boards are where students do things they don’t do in public. They disclose mental health struggles to professors. They explain why they’re missing class — sometimes revealing disability status, medical treatment, family emergencies, or personal crises. They dispute grades in terms they’d never use in person. They ask for help with accommodations. They confide in advisors and counselors. They complain about each other and their instructors. They process, in text, the kinds of things that 18-to-25-year-olds process when they’re away from home for the first time.

ShinyHunters says they have “several billions” of these messages. If that claim is accurate — and Instructure’s confirmation of Inbox message exposure does not contradict it — then what has leaked is not just a database of names and emails. It is, in functional terms, a transcript of the interior life of an entire generation of students.

That kind of data does not just enable phishing attacks. It enables targeted harassment, blackmail, coercion, and the kind of precise social engineering that turns a name and email address into a devastating personal exposure.

The Scale Is Hard to Comprehend

Canvas is used by 41 percent of higher education institutions in North America. The 9,000 institutions in ShinyHunters’ claimed breach list include not just universities but K-12 school districts and online education platforms — meaning the affected population spans every age group, not just traditional college students.

The University of Auckland in New Zealand confirmed it was among the affected institutions. The University of Wisconsin-Milwaukee issued a statement saying it was monitoring the situation. At the University of Pennsylvania alone, reports indicate more than 300,000 users may be affected.

Those are just the institutions that have said something publicly. Most have not.

For context on scale: the PowerSchool breach in December 2024 — previously the largest EdTech incident on record — exposed data on millions of K-12 students. The MOVEit breach in 2023 swept up dozens of universities. The National Student Clearinghouse breach the same year affected 890 institutions. Instructure dwarfs all of them.

FERPA Was Not Built for This

The law governing student data privacy in the United States is the Family Educational Rights and Privacy Act — FERPA. Passed in 1974, it gives students over 18 (and parents of younger students) the right to access and control their educational records, and restricts schools from disclosing those records without consent.

FERPA was designed for manila folders in a registrar’s office. It was not designed for a cloud-hosted learning management system used by 275 million people, operated by a private company, breached by a criminal syndicate, and holding billions of private messages.

The parallels to HIPAA — and the Talkspace breach we covered in April — are direct. HIPAA was designed for paper medical records and fax machines, not for a chat-based therapy app sitting on 140 million message exchanges. FERPA was designed for transcript requests and grade appeals, not for the intimate digital correspondence of an entire student population stored in a vendor’s cloud.

Both laws have disclosure requirements. Both laws have breach notification frameworks. Neither law was written for the world it’s now being asked to govern.

Under FERPA, a breach of “education records” — which Canvas messages may well qualify as — triggers notification obligations for the institutions that are FERPA’s actual covered entities. But Instructure is not a FERPA-covered entity. The schools are. Those 8,809 institutions are now in the position of having to assess, investigate, and potentially notify millions of students about a breach in a vendor’s system that they did not operate, could not control, and may not have been monitoring in real time.

That institutional burden — spread across thousands of universities, community colleges, and school districts with varying IT capacity and legal resources — is itself a systemic problem FERPA doesn’t solve.

EdTech’s Structural Privacy Problem

The Canvas breach is not an isolated incident. It is the latest data point in a pattern that has been building for years.

EdTech companies have consolidated control over the data of entire student populations. Canvas dominates the higher education learning management space. PowerSchool dominates K-12 student information systems. Chegg, Pearson, ProctorU, and dozens of other vendors have breached student data in the past five years. In each case, the architecture is the same: a single vendor holds data on millions of students across thousands of institutions, creating a concentration of sensitive data that becomes an extraordinarily attractive target.

The CISA K-12 Cybersecurity Report has noted for years that schools and EdTech vendors are among the most targeted sectors in the United States, with ransomware groups specifically hunting for large student datasets because of their value for identity fraud, social engineering, and targeted extortion.

The Instructure breach follows that pattern precisely. The question it raises is not whether EdTech companies can be breached — clearly they can — but whether the industry’s data concentration model is compatible with meaningful student privacy protection.

The answer, at this scale, appears to be no.

What Students and Institutions Should Do Right Now

If you’re a student who has used Canvas at any point — not just currently, but historically — you are potentially affected. The breach appears to include past and current users.

Watch for phishing. Your name, email address, and student ID are the raw material for highly targeted phishing attacks. Any email claiming to be from your institution about account security, credential resets, or “breach notifications” that asks you to click a link should be treated with extreme caution. Go directly to your institution’s official website rather than following email links.

Check your email accounts for unusual activity. Student email addresses tied to institutional identity can be used to try to access other services where you’ve used that email to sign in. Change passwords on critical accounts and enable multi-factor authentication if you haven’t already.

Be aware that your private messages may be in this dataset. If you shared anything sensitive through Canvas Inbox — medical information, disability disclosures, personal crises — consider who else might see that information and whether you need to take protective steps.

For institutions: Assess your FERPA notification obligations now, before the breach scope expands. Document what data your Canvas instance held and for how long. Review your vendor agreement with Instructure for breach notification terms and indemnification provisions. If you haven’t already, begin stakeholder communication — even a brief acknowledgment that you’re monitoring the situation is better than silence.

For EdTech vendors and the institutions that contract with them: the structural question raised by this breach is about data minimization and retention. Does Canvas need to retain messages from students who graduated five years ago? Does every past user’s data need to live in the same cloud environment indefinitely? The principle of retaining only what is necessary, for only as long as necessary, is not a luxury — it is the only defense against the consequences of the breach that just happened.

Protect Your Privacy

The Canvas breach is part of a broader EdTech data concentration problem that has been building for years. If you want to track what’s been exposed and what to do about it:

  • Data breach tracking and notification resources — Check whether your specific institution or data has been confirmed in recent breaches: Breached.company
  • FERPA, HIPAA, and privacy law compliance guides — What the law actually requires from institutions and vendors after a breach: ComplianceHub.wiki
  • Personal privacy assessments and digital hygiene tools — Steps to take after your data is exposed: MyPrivacy.blog

For colleges, universities, and K-12 districts navigating FERPA breach notification obligations, vendor contract disputes, and incident response after a third-party EdTech breach, CISO Marketplace provides higher education incident response, vCISO consulting, and privacy program support tailored to the institutional context.

Sources: TechCrunch, BleepingComputer, Inside Higher Ed, Malwarebytes, TechRepublic, K-12 Dive, The Daily Pennsylvanian, University of Auckland and University of Wisconsin-Milwaukee institutional statements.