Canvas Data Breach
08-May-2026
Once again, folks, I'm back to discuss a significant data breach.
This time we're discussing the breach of Canvas -- one of the largest "cloud" systems that you've probably never heard of unless you're a college student, faculty, or administrator.
At the end, I'll link to my article that discusses the larger topic of data breaches in general and where we are today.
What is Canvas?
Canvas is a "Learning Management System" or LMS, that is a hub for most things related to teaching. It's kind of an all-inclusive, one-stop-shopping application for everything instructors needs to run their classrooms.
This includes, in part:
- Posting assignments for students to complete
- Collecting and grading
- Administer quizzes, formal tests, and final exams
- Track grades and attendance
- Communicate individually with students and broadcast announcements to the class
Parents -- If your kid is in college there's a good chance they're using Canvas. There are other LMS products as well but Canvas is the biggie with close to half of all colleges and universities.
What Happened?
A hacking group that calls themselves "ShinyHunters" infiltrated Canvas's corporate network and exfiltrated (stole) data concerning many millions of students and faculty across thousands of institutions. ShinyHunters claims to have exfiltrated more than 3.65 TB of data.
They are demanding payment of ransom from Canvas's corporate parent, Instructure, in exchange for not releasing the data publicly.
The timing likely isn't coincidental, either. I can well imagine that ShinyHunters waited until the hectic last weeks at the end of the school year when final exams were underway to "pull the trigger" on their attack. There are critical days for Canvas and their university customers so a timed attack of this nature could strengthen ShinyHunters negotiating position.
At the very moment of this writing, it's not been disclosed how much the ransom amount is, whether or not it was negotiated, or if it were paid or not. When or if I learn of these details, I will update this article.
Update 12-May
So it appears that Instructure, the company behind Canvas, has almost certainly paid a ransom. According to them, ShinyHunters (the hacking group that breached Canvas) assured them the data would not be released nor would ShinyHunters extort money from individual schools or persons caught up in the breach.
I say "almost certain" because Instructure's press release includes some weasel wording that strongly hint at paying a ransom without coming right out and admitting it. And without admission, there's also no statement of how much it could be. But based on what I've read about breach-related ransoms in general, my speculative guess would be in the mid to high single digit millions. e.g. 5-8 mil. But that is strictly a guess. I have no connection to this case whatsoever.
You might (quite fairly) ask how could Instructure be sure ShinyHunters would keep their word. They're criminal hackers, after all. The truth is they can't be sure. But as incredibly ironic as it sounds, these criminal gangs don't want to besmirch their good names. Yeah, I know, I'm rolling my eyes as well.
But there is truth to that. Today's criminal hacking groups are operating more and more like legit businesses. e.g. They offer support in undoing the effects of their attack, they (usually) honor their word, etc.
The reason is simple. Aside from the criminality of the breach itself, they want their victims, er, customers to "get what they paid for" in terms of removing the harm after paying the ransom. If they don't do that, then future victims will be even less likely to cough up a ransom.
It's also not been disclosed at this exact time how ShinyHunters managed to gain access to Canvas infrastructure. But big data compromises like this usually happen in one of two ways and maybe a rare third way.
Please visit my detailed article on Data Breaches to learn more about what made the Canvas breach and many other breaches possible.