If you have a kid in school, there’s a decent chance they use Canvas. And if they use Canvas, their information is now in ShinyHunters’ hands.

In early May 2026, ShinyHunters, one of the most prolific hacking groups operating right now, breached Instructure, the company that makes Canvas. The platform serves roughly 30 million users across 9,000 schools and universities worldwide. The breach occurred during finals week for many college students, which was either terrible luck or deliberate timing. With ShinyHunters, it’s hard to know.

Here’s the part that should make you pause: This wasn’t the first time.

ShinyHunters hit Instructure back in September 2025. Same company. Same platform. Same hackers. The ransom note they left this time said it plainly: “ShinyHunters has breached Instructure (again).”

ShinyHunters isn’t some basement operation. They’re the group behind major breaches at Ticketmaster, AT&T, Santander Bank, and dozens of others over the past several years.

The attack followed a classic pay-or-leak playbook: hand over money, or the data goes public. At its peak, students logging into Canvas were greeted by the ransom note itself, right there on the login screen. Instructure has since announced it reached an “agreement” with the hackers. “Agreement” is a generous word. What that almost certainly means is they paid a ransom. The platform is now back up and running, and Instructure is moving on.

Paying ransoms is a genuinely thorny subject in cybersecurity. In the short term, it can restore access and get systems back online. But it also signals to attackers that a company is willing to pay.  It didn’t prevent this second breach, and it may not prevent another one in the future.

What information was actually taken? According to Instructure and affected schools: student names, email addresses, student ID numbers, private messages sent through Canvas, think notes between students and instructors, accommodation requests, personal conversations with advisors, and course enrollment information. What was not taken, according to Instructure: passwords, financial data, Social Security numbers, or dates of birth.

That’s a genuine relief. Don’t let it make you complacent, though.

The breach may be “resolved,” but the danger is just getting started. The hackers now have real names, real course names, and real instructor names. That combination is precisely what makes phishing emails so convincing. Your child could receive a message that reads: “Your Psychology 101 final needs to be resubmitted at this link.” No generic greeting. No obvious typos. Real details, because they are real details. That’s what makes it dangerous.

The same logic applies to parents. A notice about a billing issue or a disciplinary matter, addressed specifically, with the right class names and the right school, will feel real because the underlying data is real.

And if a student ever used Canvas messaging to discuss something sensitive like a medical accommodation or a personal struggle, those conversations may have been accessed.

Here’s what you should do now: Students, update your Canvas password and enable multi-factor authentication for your school accounts if it’s not active already. If you receive an email asking you to click a link or resubmit something, verify its authenticity directly with your instructor before taking any action. If something seems suspicious, it likely is.

Parents: update your child’s Canvas password today and change the passwords for any other accounts using the same one. Avoid clicking links in emails claiming to be from Canvas or the school, and visit the school’s website directly instead. Be cautious of messages mentioning specific classes or teacher names. For younger children, consider managing their school account login details yourself.

The platform is functional. But phishing campaigns built on stolen data don’t launch the day of the breach. They come weeks later, when people have stopped paying attention. That’s the window attackers are counting on.

Stay alert. That’s the task right now.