Canvas Data Breach

Following the initial investigation, Instructure confirmed in early May 2026 that unauthorized actors may have accessed or exfiltrated certain data associated with Canvas user accounts. The platform is used by millions of students, teachers, and staff worldwide, including K‑12 public school districts, colleges, and universities across the United States and abroad.

As the forensic investigation continues, Instructure has reported that the incident involved unauthorized access to systems used for data export and messaging, potentially exposing sensitive user information. While the company has not publicly disclosed an exact number of affected individuals, cybersecurity researchers and media outlets estimate that the breach may involve millions of users across thousands of educational institutions. 

After identifying suspicious activity, Instructure reported that it revoked compromised credentials, rotated access keys and tokens, enhanced monitoring, and deployed additional security patches to reduce the risk of further unauthorized access. The company stated it is continuing to cooperate with affected institutions as notifications and assessments proceed. 

Canvas is one of the most widely adopted learning management systems in the world. Schools and universities rely on Canvas for posting assignments, grading, internal messaging, coursework management, and virtual learning. Because of this broad adoption, a single breach can create widespread privacy and security concerns for students, educators, and families.

At the time of initial reporting, Instructure stated it had no evidence that passwords, financial information, or government‑issued identification numbers were accessed. However, the company acknowledged that certain personally identifiable information (PII) and private communications may have been exposed. Investigators continue working to determine the full extent of the incident. 

Educational institutions have begun notifying students, parents, and staff members that their information may have been involved. If you receive a notice from your school or district regarding the Canvas data breach, it means your personal information stored on the platform may have been impacted by this cybersecurity incident.

The specific data elements involved may vary by institution and individual account and are expected to be detailed in any notification letters or communications issued by schools or districts.

Your Personally Identifiable Information (PII) includes information that can be used to identify or contact you, such as names, email addresses, and identification numbers. When this information is exposed in a data breach, it can be leveraged for phishing attacks, identity theft, account takeover, and other forms of misuse.

Because Canvas is used extensively in educational settings, some of the data involved may also qualify as student educational records, which are protected under federal and state privacy laws, including the Family Educational Rights and Privacy Act (FERPA). Unauthorized access to this data can put students, especially minors, at heightened risk for privacy and security harms. 

What Should Impacted Individuals Do?

If your information was involved in this incident, it is important to remain vigilant. Impacted individuals are encouraged to:

• Monitor email accounts closely for phishing attempts or suspicious messages
• Be cautious of communications claiming to come from schools, teachers, or administrators
• Review account activity and change passwords where possible
• Follow guidance provided by schools or Instructure regarding account security and monitoring

Educational institutions may also provide additional recommendations or protective services as more details emerge.

Legal Rights After a Student or Education Data Breach

Students, parents, educators, and staff may have legal rights when companies or institutions fail to adequately safeguard sensitive personal or educational data. These rights vary by state and may depend on factors such as the type of information exposed, the affected individual’s age, and how the breach occurred.

If you received a Notice of Data Breach related to the Canvas (Instructure) cybersecurity incident, your personal information, and in some cases your educational records, may be at risk.