If you got an email from your school this week about a breach of Canvas, you’re one of, uh, a few hundred million people in the same situation. The short version: a criminal group called ShinyHunters broke into Instructure, the company that makes Canvas, and copied data from around 8,800 schools. So let me run through the three questions you probably have.
What you need to do
Go directly to your university’s website, reset your password, and set up multi-factor authentication
If you have multi-factor authentication set up, attackers will be unable to access your account with just the password.
Do not click links in emails
For the rest of your time in school, be suspicious of any email to your university email address. Do not click links directly in emails. If something asks you to log in, go directly to the webpage and log in from there.
Change any passwords that match
If you re-use your university password on any other sites, it’s a good idea to go and change those passwords as well. (I of course use 1Password and never re-use a password pushes his glasses up like a nerd)
What happened
Canvas is the learning platform thousands of universities and K-12 schools use to post syllabi, run quizzes, and let students and instructors message each other. Instructure, the company behind it, runs it as a single piece of software for everyone, so one break-in there produces one very large pile of stolen data.
Here’s the timeline:
- April 29, 2026. Instructure noticed unauthorized activity in Canvas and cut off the intruder.
- May 1. Schools began notifying students.
- May 7. The same attackers got back in through the same weakness. They defaced the login pages of around 330 schools with a JavaScript ransom note, forcing Instructure to pull Canvas offline for a day during final exams and AP testing.
- May 11. Instructure announced it had reached an “agreement” with the attackers. Translation: it paid them. The company says it received “digital confirmation of data destruction (shred logs).”
Instructure says the stolen data includes usernames, Canvas user IDs, school email addresses, course names and enrollment info, and messages sent inside Canvas. It says the data does not include passwords, government IDs (SIN, SSN, driver’s licence), dates of birth, financial information, or assignment submissions. ShinyHunters claims it took 3.65 terabytes covering about 275 million records and billions of private messages.
The “we paid them and they deleted it” ending is the part security folks are rolling their eyes at. (Yeah, sure.) You can’t un-copy a file. Shred logs are text files that anyone can write. The same group has been caught reselling data they swore they had deleted. The data is still out there. It will surface again. Plan for that, not for the press release.
ShinyHunters has been around since 2019. If you’ve seen news of a big data breach in the past few years, there’s a decent chance they were involved: Tokopedia (~91 million accounts), Wattpad (~270 million), AT&T (twice, well over 100 million combined), Ticketmaster via the 2024 Snowflake spree (~560 million), and a campaign against Salesforce customers last year that grabbed roughly 1.5 billion records across 760+ companies. French police arrested four members in mid-2025; the group kept operating. The US House Homeland Security Committee has now opened an investigation into how Canvas got hit twice in two weeks.
How they got in is, uh, the part Instructure isn’t saying out loud yet. Reporting points at Instructure’s “Free for Teacher” program, a free-tier signup anyone teaching anything can use, but Instructure has not confirmed the precise mechanism.
Are you at risk?
Yes. But not how you’re picturing it.
You’re not at risk of identity theft from this breach in isolation. Nothing in the stolen data is enough to open a credit card or a loan in your name. Your bank info, government IDs, and password were not in the pile.
You are at risk of phishing that’s more convincing than the usual stuff for the next few months, and possibly years. Someone writing scam emails who already knows your name, your school, your school email, the courses you’re enrolled in, and snippets of real conversations with your instructors can build a message that looks far more legitimate than the average “Your Netflix has been suspended” attempt. Expect more of these. Expect at least one to be good.
The defensive habits in section one are the ones that protect you, not just from this breach, but from every breach. Most of the scams that drain student bank accounts arrive the same way Canvas-themed phishing will: a believable email, a sense of urgency, a link to a page that looks right. Train the eye-roll. Slow down before you click. Type the URL yourself. That instinct beats every identity-protection subscription on the market.
Thanks for reading, dear reader. If you spot a particularly creative Canvas-themed phishing email in the wild, send me a screenshot at mike@hifinance.ca (don’t forward me the email, then I might accidentally fall for it lol). Always nice to see what costume the scammers are wearing this season.
Useful links
