Blog Threat Research

Canvas Attackers Compromise 275M Students, Teachers, and Staff

The Canvas breach reveals how cybercriminals are targeting education: learn how the attack unfolded, what data was exposed, and the risks ahead.
Joseph Avanzato
3 min read
Last updated May 8, 2026

Contents

    The recent breach of the Canvas learning management system is more than another large-scale data theft—it highlights a pattern of attacks targeting educational institutions, where students, faculty, and staff are particularly susceptible to the social engineering tactics used by groups like ShinyHunters.

    What happened?  

    On May 1, 2026, Instructure, the educational technology company behind Canvas, confirmed that it had experienced a cybersecurity incident involving a criminal threat actor. By May 2, the company reported that it had contained the event and implemented several defensive actions, including revoking privileged credentials, rotating tokens and application keys, deploying patches, and increasing platform monitoring.

    At that time, Instructure disclosed that certain user data had been accessed, including names, email addresses, student ID numbers, and messages exchanged within the platform. 

    The following day, the cybercrime group ShinyHunters publicly claimed responsibility and added Instructure to its dark web extortion site, issuing a direct warning: pay a ransom or the stolen data would be released. This marked the transition from a seemingly contained incident to an active extortion campaign. 

    Attack methodology 

    While the exact intrusion path has not been publicly confirmed, the attack aligns closely with ShinyHunters’ established playbook. The group is known for relying on social engineering techniques, particularly voice phishing (vishing), to gain initial access rather than exploiting complex vulnerabilities. 

    The broader context reinforces this possibility.

    In September 2025, the ShinyHunters successfully compromised Instructure by targeting its Salesforce environment using social engineering – a common tactic used to exploit cloud platforms and third-party integrations. This pattern suggests the breach may not have been the result of a single technical flaw, but rather the exploitation of human trust combined with access to interconnected systems.

    Scope of the breach  

    The scale of the incident is substantial. Canvas is used globally across K–12 schools, universities, and corporate environments, and the breach potentially impacts millions of users. 

    In addition to the core Canvas platform, attackers have claimed access to Instructure’s Salesforce environment, which could expand the scope of data exposure beyond what has been formally confirmed. 

    Who was affected? 

    The breadth of impacted organizations spans the full education spectrum. Major research universities, including institutions such as Harvard, Stanford, and MIT, are reportedly on the affected list, alongside thousands of K–12 districts and global education systems. 

    The breach caused widespread disruption. Many institutions experienced outages and loss of access to coursework, assignments, and communications during final exams, amplifying the operational impact. 

    What data was exposed?

     According to the threat actors, approximately 3.65 terabytes of data has been compromised, including usernames, institutional email addresses, student ID numbers, and messages exchanged within Canvas. The group claims around 275 million individuals, roughly 9,000 schools and 15,000 institutions across North America, Europe, and parts of Asia were affected. 

    The challenge for educational institutions 

    Varonis partners with many higher education institutions and observed these environments present a unique combination of challenges that increase the likelihood of successful attacks. 

    Universities manage highly dynamic populations. Students, faculty, and staff are constantly joining and leaving, yet accounts and associated data are rarely fully deprovisioned. Over time, this leads to the accumulation of inactive or under-monitored identities. 

    Additionally, universities maintain vast datasets across multiple systems, integrations, and cloud platforms. Data is continuously generated but seldom removed, resulting in long-term sprawl that is difficult to govern. The net effect is an expanded attack surface composed of identities, data, and integrations. When attackers successfully gain access—whether through social engineering or compromised credentials—they can often move laterally and extract large volumes of data. 

    Get started with our world-famous data risk assessment.
    Get your assessment
    inline-cp

    Downstream risk 

    The immediate risk following this type of breach is often highly targeted phishing. With access to names, institutional email addresses, student identifiers, and message content, attackers can craft convincing communications that appear legitimate. Messages may reference real coursework, administrative processes, or recent conversations, increasing the likelihood that recipients will trust and act on them. 

    The exposure of internal communications further compounds the risk. Messages exchanged between students, faculty, and administrators may contain sensitive or contextual information that attackers can use to refine impersonation attempts and weaponize in subsequent campaigns.

    Impersonation becomes particularly effective in this environment. When attackers can convincingly mimic known individuals, like professors or administrators, the barrier to trust is significantly lowered. This increases the likelihood of additional credential theft, malicious link clicks, or financial scams. 

    What you should do if you use Canvas 

    Users should approach all unexpected communications with heightened scrutiny. Messages related to Canvas in particular, whether via email, text, or voice, should be treated cautiously, especially if they create urgency or prompt immediate action. Links embedded in Canvas-related messages should not be trusted blindly. Instead, users should navigate directly to official portals rather than clicking embedded URLs. When in doubt, verifying requests through separate, trusted channels is critical. 

    Users should also review and strengthen their overall account security and authentication practices. Enabling multi-factor authentication and ensuring that passwords are unique across accounts reduces the likelihood of subsequent account compromise. 

    Finally, vigilance must extend beyond the immediate aftermath. The value of stolen data does not diminish quickly. Attackers may use it weeks or months after the initial breach, making sustained awareness essential. 

    The big picture for security teams  

    The Canvas breach underscores a broader reality: reliance on widely used SaaS platforms introduces systemic risk that extends beyond any single organization. Even when the originating vendor responds quickly, downstream exposure is difficult to control. Educational institutions are especially exposed, as they manage large populations of students and staff, and often retain user accounts and data long after individuals have left the institution. Organizations cannot always prevent breaches, but they can reduce the impact by managing their own data footprint.

     When incidents occur, organizations need clear insight into what data was accessed, which identities were involved, and what potential threats may persist. Without that level of awareness, response efforts are reactive rather than strategic.

    Thank you to Stephen Kowski and Meagan Huebner for contributing to this post.  

    What should I do now?

    Below are three ways you can continue your journey to reduce data risk at your company:

    1

    Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

    2

    See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

    3

    Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

    Joseph Avanzato
    Joseph Avanzato Joe Avanzato leads a global team of blue and red-team SMEs delivering Forensic and Adversary Simulation services to the Varonis customer base. His background includes experience in multiple cybersecurity disciplines such as Incident Response, Detection Engineering, Threat Hunting and Cyber Intelligence.

    Try Varonis free.

    Get a detailed data risk report based on your company’s data.
    Deploys in minutes.
    Get started View sample

    Keep reading

    Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

    meet-bluekit:-the-ai-powered-all-in-one-phishing-kit
    Meet Bluekit: The AI-Powered All-in-One Phishing Kit
    meet-bluekit:-the-ai-powered-all-in-one-phishing-kit
    Daniel Kelley
    April 29, 2026
    Discover Bluekit, the AI-driven phishing kit that centralizes phishing operations with advanced features like automated domain registration and an AI Assistant.
    the-
    The "Success" Illusion: How Cross-Tenant ROPC Can Gaslight Your SOC and Poison Data
    the-
    Varonis Threat Labs
    April 22, 2026
    Discover how attackers exploit cross-tenant ROPC to create misleading login events, undermining your security and data integrity without breaching your systems.
    the-vercel-breach:-steps-to-protect-your-organization
    The Vercel Breach: Steps To Protect Your Organization
    the-vercel-breach:-steps-to-protect-your-organization
    Chen Levy Ben Aroy
    April 20, 2026
    Vercel disclosed a major breach exposing customer environment secrets via a compromised AI tool. Learn what happened, why it matters, and the steps to protect your organization.