Skip to main content
governance

Canvas LMS Breach: What Educational Institutions Should Do Now

The May 2026 Canvas breach exposed 275 million users across 8,800+ institutions. Here's what happened, immediate steps to take, and how to build long-term resilience.

By Signal & Soil

The Canvas LMS breach is now the largest educational security incident on record. ShinyHunters compromised Instructure’s platform twice in early May, ultimately exposing data from approximately 275 million users across more than 8,800 institutions worldwide. If your institution uses Canvas, here’s what you need to know and do.

What Happened

On May 1, 2026, Instructure disclosed an initial cybersecurity incident involving stolen user records. Despite claims the situation was resolved, Canvas was breached again on May 7 when ShinyHunters replaced the login page with a ransomware message.

The attack vector was Free-For-Teacher accounts — a no-cost Canvas account type commonly used outside enterprise-managed environments. This is a critical detail: the weakness wasn’t in the core enterprise infrastructure, but in a peripheral feature with weaker controls.

Data compromised includes:

  • Names and email addresses
  • Student ID numbers
  • Private messages between students and teachers
  • Approximately 3.65 terabytes of data total

Instructure has stated that passwords, birth dates, government IDs, and financial information were not involved. They’ve also confirmed reaching an agreement with the attackers and claim the compromised data was destroyed.

Immediate Actions (This Week)

1. Assess Your Exposure

Contact Instructure directly for institution-specific information about what data was affected. Don’t wait for them to reach out. Document everything.

2. Notify Your Community

Communicate clearly with students, faculty, and staff. Be specific about what was and wasn’t exposed. Uncertainty breeds anxiety — facts build trust.

3. Review Free-For-Teacher Accounts

Audit any Free-For-Teacher accounts associated with your institution. These accounts may have been created by faculty outside your IT processes. Identify them, understand what data they contain, and determine if they’re still needed.

4. Reset Credentials

Even though Instructure claims passwords weren’t compromised, now is a good time to enforce credential resets for Canvas accounts, especially for users who reuse passwords across services.

5. Monitor for Phishing

Expect a wave of phishing attempts targeting your community. Attackers now have names, emails, and context about student-teacher relationships. Alert your users and strengthen email filtering.

Medium-Term Response (Next 30 Days)

Conduct a Third-Party Risk Assessment

This breach exposed a fundamental truth: your security posture is only as strong as your vendors. Evaluate your third-party risk management program:

  • Do you have a complete inventory of vendors with access to sensitive data?
  • What security requirements do you impose on vendors contractually?
  • How do you verify vendor compliance?
  • What’s your process when a vendor has a breach?

Review Data Minimization Practices

Ask hard questions about what data Canvas (and other systems) actually need:

  • Are you collecting student data that isn’t essential?
  • How long are you retaining messages and communications?
  • Can you reduce your exposure by limiting what you share with vendors?

Assess Your Incident Response Readiness

If this breach had been in your own systems, would you have been ready?

  • Do you have an incident response plan?
  • Has it been tested in the last year?
  • Do key stakeholders know their roles?
  • Can you communicate effectively in a crisis?

Long-Term Resilience

Build a Security Governance Program

Many educational institutions lack formal security governance. The Canvas breach is a wake-up call. Consider:

  • Risk Assessment Framework: Use NIST CSF 2.0 or ISO 27001 to structure your security program
  • Third-Party Risk Management: Implement ongoing vendor security assessments
  • Incident Response Planning: Develop, document, and drill your response procedures
  • Security Awareness Training: Your community is your first line of defense

Consider Compliance Frameworks

For institutions handling sensitive data, formal compliance frameworks provide structure:

  • NIST Cybersecurity Framework 2.0: Comprehensive and widely applicable
  • ISO 27001: International standard for information security management
  • FERPA: Already required, but often treated as a checkbox rather than a security driver

Quantify Your Risk

Move beyond qualitative risk assessments. Use frameworks like FAIR (Factor Analysis of Information Risk) to understand your exposure in financial terms. This enables better resource allocation and executive communication.

The Bigger Picture

The Canvas breach reveals a pattern we see repeatedly: organizations focus security efforts on their core systems while overlooking peripheral features, shadow IT, and third-party integrations. ShinyHunters didn’t breach Canvas’s enterprise security — they exploited a convenience feature with weaker controls.

Every organization has these blind spots. The question isn’t whether you have them, but whether you’re actively looking for them.

Need help assessing your security posture or building a resilience program? Signal & Soil specializes in security governance, risk management, and incident response planning for organizations facing complex threats. Contact us to discuss your situation.