The cyberattack

Canvas is a cloud-based learning management system operated by Instructure, Inc. and used by over 41% of colleges and universities in North America, more than 8,000 institutions worldwide, and over 30 million active users. The platform is embedded in the daily academic life of students from K-12 through postgraduate programs, handling course materials, assignment submissions, grades, and direct messages between students and educators. 

On April 30, 2026, hackers from the cybercriminal group ShinyHunters exploited a vulnerability in Instructure’s production systems to gain unauthorized access to Canvas. ShinyHunters is a criminal hacking and extortion group active since 2020, believed to comprise a small number of core members based in Canada and France. The group specializes in targeting companies that provide services to multiple organizations, allowing a single breach to cascade across thousands of victims. ShinyHunters previously orchestrated the 2024 Snowflake supply chain campaign that compromised approximately 165 organizations. In March 2026, ShinyHunters breached the European Commission, leaking 350 gigabytes of data from 42 internal clients. 

The Canvas breach was Instructure’s second confirmed compromise by ShinyHunters in approximately eight months. In September 2025, ShinyHunters exploited a social engineering attack against the company’s Salesforce environment. The April 2026 attack exploited a different vulnerability in Instructure’s production systems, which the company says has since been patched. Instructure’s chief information security officer, Steve Proud, notified customers on May 1 that the company had experienced a cybersecurity incident perpetrated by a criminal threat actor. By May 2, Instructure said the situation had been “contained,” but disclosed that names, email addresses, student ID numbers, and messages among users could have been exposed. On May 3, the threat intelligence tracking platform Ransomware.live posted a copy of a ransom letter from ShinyHunters in which the group claimed to possess data from 275 million individuals across nearly 9,000 schools and warned: “This is a final warning to reach out by 6 May 2026 before we leak along with several annoying (digital) problems that’ll come your way.” By May 5, TechCrunch reported that ShinyHunters had stolen 231 million unique email addresses from Canvas.

Instructure characterized the incident as “resolved” on May 6. However, the following day, ShinyHunters struck again. Students and faculty at thousands of institutions were greeted with a message from ShinyHunters on their Canvas login pages stating that the group had “breached Instructure (again)” and faulting the company’s response: “Instead of contacting us to resolve it they ignored us and did some ‘security patches.’” The message instructed affected schools to “consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement,” with a deadline of May 12, 2026, “before everything is leaked.” Instructure confirmed that the second attack exploited an issue related to its “Free-For-Teacher” accounts and, “out of an abundance of caution,” temporarily took Canvas offline, placing the system into maintenance mode. Service was restored for most users by Thursday evening, May 8 – but not before the disruption forced dozens of institutions to postpone or cancel final examinations, extend grading deadlines, or shift to alternative platforms.

Categories of data compromised

Instructure has confirmed that the following categories of information were accessed by the hackers:

• Names and email addresses of students, faculty, and staff
• Student ID numbers
• Messages among Canvas users, including private communications between students and faculty
• Course enrollments and course records 

Instructure has stated that it found no evidence that passwords, dates of birth, government identifiers (such as Social Security numbers), or financial information were involved. However, ShinyHunters has separately claimed access to data from over 275 million individuals and 3.65 terabytes of information, including “billions” of private messages. The full scope of the breach remains under investigation. As cybersecurity analysts have noted, the inclusion of private messages – which could contain phone numbers, home addresses, and personal information shared in the expectation of privacy – makes this breach qualitatively different from a typical email-and-name data leak. Institutions should not assume that the categories of data confirmed by Instructure represent the full extent of the compromise; forensic investigations of this nature frequently reveal additional categories of affected data over time.

The ransom payment

Instructure has now paid a ransom to ShinyHunters, the cybercriminal group responsible for two separate breaches of its Canvas platform this month. The agreement was reached on May 11, 2026 – one day before the hackers’ deadline to leak the stolen data. Under the agreement, the hackers reportedly returned the compromised data and provided “shred logs” as digital confirmation of its destruction. Instructure has stated that the agreement covers all impacted customers and that no Instructure customer will be separately extorted as a result of this incident. The specific monetary value of the ransom has not been publicly disclosed.

While the ransom payment may offer interim relief, it does not resolve the significant legal, regulatory, and insurance implications for affected institutions.

Institutions should approach Instructure’s representations with informed caution. Ransom agreements with cybercriminal organizations are inherently unenforceable. There is no legal mechanism to compel ShinyHunters to honor its commitment to destroy the stolen data, and no independent verification that all copies have been eliminated. Cybersecurity researchers have documented numerous instances in which threat actors retained or resold data after accepting ransom payments. Moreover, ShinyHunters operates as a loosely affiliated collective; even if the negotiating members honor the agreement, other affiliates or downstream purchasers may not be bound by its terms. 

The breach also exposes a structural vulnerability in the way higher education has been digitized. Most affected institutions did not independently select or configure Canvas’s security architecture; they adopted a market-dominant platform that is well-designed, reliable, and deeply integrated into institutional workflows. As a result, a single security failure at a single vendor can compromise the academic records and private communications of students across thousands of institutions in dozens of countries simultaneously. The affected institutions had no role in the security decisions that allowed the breach, cannot independently audit the vendor’s systems, and are “downstream” for cybersecurity purposes with no ability to prevent the intrusion.

The ransom payment does not close the book

Despite Instructure’s resolution with ShinyHunters, affected institutions still face significant legal, regulatory, and financial exposure. The ransom payment and the hackers’ assurances do not close the book on this incident for the institutions whose data was compromised.

• Potentially insured losses remain. Institutions may have their own first-party costs – including forensic investigation, breach notification, credit monitoring, business interruption, and crisis management expenses – that are independently covered under their own cyber policies, regardless of what Instructure paid to resolve the ransom demand. These costs exist independently of the vendor’s actions and may be recoverable.
• Litigation risk persists. The return of the data and ShinyHunters’ promise not to use it do not insulate institutions from lawsuits. Affected individuals – including students, parents, faculty, and staff – may bring claims alleging a failure to adequately protect personal data or seeking damages for unauthorized access. These claims do not depend on whether the data is ultimately published. Common theories in data breach litigation include negligence, breach of (implied) contract, unjust enrichment, violations of state consumer protection statutes, and claims under specific data privacy laws. Institutions should also be aware that plaintiffs’ counsel have filed class actions within days of major breach disclosures in recent years, and the scale of this incident – potentially affecting hundreds of millions of individuals – makes coordinated litigation highly likely.
• Ongoing threat of further attacks. Institutions should remain vigilant for follow-on attacks from ShinyHunters and other groups. ShinyHunters is a highly active cybercriminal organization with a history of targeting education platforms and major corporations. There is no guarantee that copies of the data were not retained or shared with third parties prior to the ransom agreement, and the stolen data – including names, email addresses, and private messages – could be exploited in phishing campaigns or other social engineering attacks.

Key considerations for general counsel

Data breach notification obligations

Regardless of the ransom resolution, affected institutions must independently assess their notification obligations under applicable federal and state law. The compromised data – including names, email addresses, student ID numbers, and private messages – may constitute “personally identifiable information” or “personal information” triggering notification requirements under state data breach notification statutes. Moreover, to the extent the compromised information includes protected education records, institutions may have independent notice obligations under the Family Educational Rights and Privacy Act and related regulations. 

These legal obligations exist independently of Instructure’s arrangement with ShinyHunters. Institutions should immediately consult with counsel to determine whether they have independent notification obligations in the jurisdictions where affected individuals reside.

Review your cyber insurance

If you have cyber coverage, review it now (with coverage counsel):

• Confirm adequacy of policy limits and sublimits (ransomware, notification, regulatory defense) given the scale of this breach
• Verify whether the policy covers losses from a third-party vendor breach (look for dependent business interruption or contingent system failure coverage)
• Confirm compliance with notice provisions – most policies require prompt reporting of any circumstance that could reasonably give rise to a claim; this incident likely triggers that obligation even if the institution has not yet received a demand or complaint
• Understand consent-to-pay requirements – if asked to contribute to a ransom or pay one independently, most policies require carrier consent before payment and will deny coverage if the insured pays first
• Preserve rights under the policy (no admissions, cooperate with carrier, document all costs)

If you do not have cyber coverage, consider purchasing it:

• These events are increasing in frequency and sophistication
• Institutions relying on third-party vendors for critical infrastructure (Learning Management Systems (LMS), Student Information Systems (SIS), financial aid) face growing exposure
• The market has tightened but coverage remains available and is increasingly essential

Other insurance coverages that may respond

Cyber is not the only potentially responsive coverage. Institutions should review the following coverages with their brokers and coverage counsel:

• General liability (GL). Some GL policies cover privacy-related claims under “personal and advertising injury” grants, though many now have cyber/data exclusions that may limit or bar coverage.
• Errors and omissions (E&O)/professional liability. If the institution is alleged to have been negligent in vendor selection, data-sharing practices, or oversight of Instructure, E&O policies may respond.
• Directors and officers (D&O). Board members and administrators could face claims for failure to maintain adequate cybersecurity governance, potentially triggering D&O coverage.
• Crime/fidelity policies. If institutions suffer fraudulent transfers or social engineering attacks exploiting the stolen Canvas data (such as phishing using leaked credentials), crime policies with computer fraud or social engineering endorsements may respond.

Vendor contract review

Institutions should review their contracts with Instructure to understand the allocation of responsibility for data security, breach notification, indemnification obligations, and limitations of liability. Many institutions will want to assess whether Instructure’s handling of the incident – including its initial characterization of the breach as “resolved” on May 6 before the second breach occurred on May 7 – met its contractual obligations.

Immediate next steps

There are actions institutions can take now, in consultation with counsel, to be prepared for the legal, regulatory, and insurance implications of this incident:

• Assess notification obligations. Work with counsel to determine whether the institution has independent data breach notification obligations under applicable federal and state laws, regardless of Instructure’s representations.
• Review cyber insurance policies. Provide timely notice to insurers and document all costs incurred as a result of the breach, including operational disruptions, forensic analysis, and communications expenses.
• Preserve documents and communications. Implement a litigation hold to preserve all documents and communications related to the incident, including communications with Instructure, internal assessments, and any student or employee complaints.
• Review vendor contracts. Examine existing agreements with Instructure for indemnification, subrogation, contribution, data security, and breach notification provisions. Consider whether a breach of contract or warranty claim is supportable.
• Monitor for regulatory inquiries. Given the scale of the breach – potentially affecting 275 million individuals – federal and state regulators, including the FBI, the FTC, state attorneys general, and the U.S. Department of Education, may initiate inquiries. Early coordination with counsel on regulatory response strategy is advisable. Institutions that receive civil investigative demands or document requests should engage counsel immediately.
• Communicate with affected individuals. Develop clear, accurate messaging for students, faculty, staff, and parents. Advise affected individuals to monitor for identity theft, enable two-factor authentication, and be wary of phishing emails.
• Enhance security posture. Implement additional security measures, including reviewing integration points with Canvas, monitoring for unauthorized access, and reinforcing cybersecurity awareness across the campus community.

Schools should work closely with counsel to stay informed and proactive as they navigate the evolving legal, regulatory, and insurance implications of this incident.

We are available to assist with any of the matters discussed in this alert and welcome the opportunity to discuss your institution’s specific circumstances. 

Client Alert 2026-108