All About Cookies is an independent, advertising-supported website. Some of the offers that appear on this site are from third-party advertisers from which All About Cookies receives compensation. This compensation may impact how and where products appear on this site (including, for example, the order in which they appear).
All About Cookies does not include all financial or credit offers that might be available to consumers nor do we include all companies or all available products. Information is accurate as of the publishing date and has not been provided or endorsed by the advertiser.
The All About Cookies editorial team strives to provide accurate, in-depth information and reviews to help you, our reader, make online privacy decisions with confidence. Here's what you can expect from us:
The Canvas outage that rattled colleges during finals week may be over, but the fallout from one of the largest education-related cyberattacks in recent memory is just beginning.
Canvas, owned by education tech company Instructure, is a learning management platform used by thousands of institutions globally — including Harvard, Stanford, and the University of Pennsylvania — and the breach is said to have impacted 8,809 schools worldwide.
The hacking group claiming responsibility for the breach, ShinyHunters, allegedly stole a massive cache of student and teacher data before Instructure reportedly agreed to pay a ransom demand
Instructure issued a formal apology, and as part of the agreement, received “digital confirmation of data destruction (shred logs),” reassuring students and staff “that no Instructure customers will be extorted as a result of this incident, publicly or otherwise.”
Instructure noted on its website that the attackers behind the breach appeared to have carried out two attacks: the first on April 29th and the second on May 7th. After the initial incursion exposed student and faculty data, hackers later hijacked parts of the Canvas login system to display ransom messages directly to users.
/images/2026/05/12/shinyhunters_hacking_message.png)
This came after their May 6th threat posted to Ransomware.live, which read: “Several billions of private messages among students and teachers and students and other students involved, containing personal conversations and other PII. Your Salesforce instance was also breached and a lot more other data is involved. Pay or Leak.”
ShinyHunters claims to have stolen roughly 275 million records, totaling about 3.65 terabytes of data from Instructure’s systems.
Instructure explains what data was exposed and what data is safe. Personally identifiable information (PII) that was breached:
Instructure reassures that more sensitive data wasn't compromised in either breach:
According to Inside Higher Ed, Instructure ultimately agreed to pay the ransom demand but did not specify how much it cost. The company reportedly said the hackers returned the stolen files and provided assurances that the data had been deleted.
However, the FBI and cybersecurity experts caution that ransom payments do not guarantee that stolen data is permanently destroyed or that it will not resurface online later.
That leaves students and faculty in an uncomfortable position. While Canvas itself is functioning again, the personal information taken during the breach could still circulate online or be used in future scams.
And while Instructure says passwords and financial information were not exposed, the records they did obtain can still be valuable to cybercriminals.
A combination of names, school email addresses, enrollment information, and internal messages could be used in phishing attacks or identity theft attempts targeting students and faculty members. According to an All About Cookies identity theft survey, 38% of identity theft victims said a data breach — just like the Canvas hack — was the original entry point for the crime.
Hackers often use leaked institutional data to craft convincing fake emails that appear to come from trusted sources, like universities, financial aid departments, and student loan administrators.
A University of Illinois study analyzed 2,300 phishing emails targeting Cornell University between 2010 and 2023 and found that attackers were increasingly moving away from more obvious ‘security alert’ scams toward messages designed to mimic ordinary university life, such as job offers or admin notices.
For students already dealing with finals, graduation deadlines, and financial aid paperwork, the timing of the breach could make those scams especially convincing.
Even with Instructure's confirmation that the data was destroyed, cybersecurity experts are clear: ransom payments don't come with guarantees. Stolen records can be copied, sold, or retained before a group ever agrees to delete them. It's worth treating your information as compromised and taking steps now.
Watch for phishing attempts. The combination of your name, school email address, enrollment details, and private messages gives attackers enough to send convincing fakes. Be skeptical of any email asking you to verify your account, reset a password, or click a link related to financial aid, student loans, or Canvas itself, even if it looks like it's coming from your university.
Change your school account password and turn on two-factor authentication. If you've reused that password anywhere else, update those accounts too. A password manager can help you keep track of unique credentials across every account. Enable 2FA to secure online accounts.
Keep an eye on accounts tied to your school email. Student IDs and institutional email addresses are common entry points for targeting financial aid portals, FAFSA-linked accounts, and any payment platforms connected to your school. Review recent activity on those accounts and set up alerts where possible.
Consider identity theft monitoring. A breach like this doesn't resolve itself in a news cycle. Stolen contact information and institutional data can circulate for months or years before appearing in a scam. Identity theft protection services monitor whether your personal information appears somewhere it shouldn't, including on dark web marketplaces, and alert you early enough to act. For students and families, that kind of ongoing visibility matters more than a one-time password reset.
ID theft protection that monitors your SSN, bank accounts, credit cards, and brokerage and retirement accounts for suspicious activity
Every plan includes the full feature set, so no additional cost to unlock monitoring, insurance, or restoration
Family plans cover unlimited children and include neighborhood sex offender alerts
Instructure says it paid the ransom and received confirmation that the stolen data was deleted. That's a better outcome than a public leak, but it's not a clean bill of health.
Cybersecurity experts, including the FBI, consistently warn that paying a ransom doesn't guarantee data is permanently destroyed or won't resurface later.
The Canvas platform is back up, but staying on top of your own accounts is the most reliable protection you have. If you or someone in your family is a student or teacher who uses Canvas, assume your information was exposed and act accordingly.
Take these steps now:
ID theft protection that monitors your SSN, bank accounts, credit cards, and brokerage and retirement accounts for suspicious activity
Every plan includes the full feature set, so no additional cost to unlock monitoring, insurance, or restoration
Family plans cover unlimited children and include neighborhood sex offender alerts
/images/2023/05/18/deleteme_review-1.jpg)
/images/2023/12/05/aura-vs.-lifelock.png)
/images/2026/05/12/hacker_in_data_security_concept._hacker_using_laptop._hacking_the_inte_q9rPpHH.jpg)
/images/2026/05/08/new-utah-age-verification-law-header.png)
/images/2026/05/05/surveillance-pricing.png)
/images/2026/05/04/uk-age-verification.png)
/images/2026/01/21/privacyhawk_review.jpg)
/images/2026/01/09/free_data_exposure_scan.jpg)
/authors/thomas-kent-headshot-cropped.png){kind=small}
/authors/kate-quinlan-new.jpg){kind=small}
/images/2023/05/25/logo-aura.png){kind=logo}
