Millions of students and educators rely on Canvas, a learning management platform operated by Instructure, every day to submit assignments, check grades, communicate with instructors, and take exams. But in May 2026, a ransomware attack disrupted the platform, and hackers stole student information.

The situation is still developing, but students, parents, and faculty should understand what happened and take a few practical steps to stay safe online.

What happened in the Canvas cyberattack? 

Canvas's parent company, Instructure, confirmed that hackers gained unauthorized access to systems connected to the online learning platform. The attack temporarily knocked parts of Canvas offline, leaving a large number of students and educators unable to access coursework during finals season! While the platform came back online, hackers were able to download student data.  

A hacking group known as ShinyHunters claimed responsibility for the breach. According to reports, the group threatened to leak data connected to thousands of schools and millions of users unless a ransom was paid. The hackers breached Canvas by sending malicious code to the platform's support representatives.  

Instructure later announced that it had reached an agreement with the attackers and received what it described as “digital confirmation” that the stolen data had been deleted. However, there is no way to guarantee stolen information is permanently destroyed once it has been taken – this is why we generally recommend against paying a ransom. 

According to the company, the exposed information may have included: 

• Names 

• Email addresses 

• Student ID numbers 

• Messages sent through Canvas (like between students or between students and faculty) 

Instructure said it found no evidence that passwords, dates of birth, government IDs, or financial information were compromised. However, it's a good idea to assume that hackers may have gotten more than we initially think – changing a password and monitoring for strange charges is a good idea.   

Even with the info they have, criminals can still misuse this basic personal information in phishing scams, impersonation attempts, and other social engineering attacks. 

What students, parents, and faculty should do 

You do not need to panic, but it's a good time to increase your alertness.

Watch out for phishing messages 

Be cautious with unexpected emails, texts, or calls mentioning the Canvas breach. Scammers may try to create urgency by claiming that your account needs verification or that your information has been exposed. The Federal Trade Commission warned that scammers may exploit news of the breach by sending fake emails or text messages that appear to come from schools or Canvas support teams. 

Never click links or download attachments from suspicious messages or respond. Don't even click the "unsubscribe" button. If you are unsure whether a message is legitimate, contact your school or Canvas directly using official contact information.

Change your passwords 

Even though Instructure said passwords were not compromised, we recommend changing your Canvas password as a smart precaution. You may also want to change the password for your university account. This is especially true if you reuse passwords across multiple accounts – a habit you should break! 

Create strong, unique passwords for important accounts and use a password manager. A strong password is at least 16 characters long, used for only one account, and a random, complex string of characters.  

Many universities enforce multifactor authentication, but you should enable it for every account. We recommend using a secure standalone MFA app, such as Duo or Google Authenticator.

Monitor your accounts 

Keep an eye on school accounts, email inboxes, and other online accounts for suspicious activity. Watch for password reset emails, login alerts, or messages you did not expect. Parents should talk with students about how scams work and encourage them to pause before responding to urgent online messages. 

In general, we recommend that you freeze your credit in case your Social Security number is stolen in a breach. While it hasn’t been mentioned that Social Security numbers were stolen in the Canvas breach, it’s a good habit to maintain. Names and birthdates were stolen – these can be used in conjunction with an SSN from other breaches to attempt identity theft. Freezing your credit is free, and you can unfreeze it briefly when you apply for credit.

Study safe online 

Cyberattacks affecting schools and educational platforms are now commonplace, but awareness and good habits can make a difference. Be skeptical of any unexpected inbound messages, maintain strong password habits, and enabling security features can help reduce your risk. For more tips, sign up for our free email newsletter.