275 Million Students Just Had Their Data Stolen. They Never Had a Say.

On April 30, Instructure's security team noticed something wrong with the API keys powering Canvas Data 2 — the analytics pipeline that streams course activity, student behavior, assessment results, and private messages from Canvas, the world's most-used learning management system, into institutional data warehouses. By May 3, the company confirmed the breach. By then, ShinyHunters had already posted their listing on a Tor leak site: 3.65 terabytes of data spanning 275 million users across nearly 9,000 schools, universities, and education ministries worldwide.

This is the largest education data breach on record. And the 275 million people whose data was stolen had no choice about being in the system that lost it.

What Canvas Knows About You

Canvas is not just a place where teachers post syllabi and students submit assignments. It's a behavioral data platform that happens to have a learning management interface bolted on top.

Canvas Data 2, the system that was breached, is Instructure's bulk data export service. It provides institutional administrators with near-real-time access to granular records: course design features, user interactions, assessment and evaluation data, device characteristics, login patterns, and more. The latency is four hours or less. Every click, every submission, every message between students gets logged, timestamped, and made queryable.

The data ShinyHunters stole includes names, email addresses, student IDs, and — this is the part that should bother you — user messages. Not metadata. Messages. The content of communications between students and between students and teachers, stored in a centralized pipeline designed to make everything accessible at scale.

Instructure says passwords, dates of birth, government-issued identifiers, and financial information were not compromised. That's a meaningful distinction for identity theft risk. But "we didn't lose your passwords" is cold comfort when the stolen dataset includes what your kid wrote to their teacher and the unique student ID that links them across every system the school uses.

The Same Group, Eight Months Later

ShinyHunters breached Instructure before. In September 2025, the group used social engineering to access Instructure's Salesforce instance. That breach exposed business contact data — names, emails, phone numbers of enterprise contacts. Instructure disclosed it, said no Canvas product data was accessed, and moved on.

Eight months later, ShinyHunters came back through a different door. This time they exploited a vulnerability in Instructure's systems — one that has since been patched — and went straight for Canvas Data 2. Same threat actor. Different vector. Massively larger impact.

This pattern isn't unique to Instructure. ShinyHunters ran a broader campaign against Salesforce customers in late 2025, claiming to have stolen 1.5 billion records from 760 companies by exploiting OAuth tokens through the Salesloft/Drift integration. The Instructure Salesforce breach was one node in that campaign. The May 2026 breach was ShinyHunters returning to a target they'd already mapped, with knowledge of the environment they'd gained the first time around.

When an attacker compromises your systems once and you don't fundamentally change your security architecture, the second breach isn't a surprise. It's a scheduling question.

The COPPA Timing

Here's the part that reads like dark comedy. On April 22, 2026 — eight days before Instructure detected this breach — the updated COPPA Rule took effect.

COPPA, the Children's Online Privacy Protection Act, is the federal law that governs how companies handle data belonging to children under 13. The FTC had been working on updates for years. The new rule tightens consent requirements, restricts targeted advertising using children's data, adds biometric identifiers to the definition of personal information, and imposes data retention limits. Companies had since June 2025 to comply. The deadline was April 22.

Canvas serves K-12 school districts across the United States. Many of those districts serve elementary school students — children squarely within COPPA's scope. Under the updated rule, companies that collect children's data must obtain verifiable parental consent before using that data for purposes beyond what the school authorized. Schools can consent on behalf of parents, but only for data used solely for educational purposes.

The question COPPA's update was trying to address is straightforward: who gets to decide what happens with children's data, and how much of it should edtech companies be collecting in the first place? Eight days after the compliance deadline, the largest edtech data breach in history demonstrated why those questions matter.

The updated COPPA rule also added stricter breach notification requirements for children's data. Those requirements are now active. For the 9,000 affected schools, the compliance timeline on notifications is not hypothetical.

Why FERPA Won't Save You

FERPA — the Family Educational Rights and Privacy Act — is the law most people think of when they hear "student data protection." It applies to all educational institutions that receive federal funding, which is nearly all of them. FERPA gives students and parents the right to access their education records, request corrections, and control who those records are shared with.

Here's the problem: FERPA has no private right of action. You cannot sue under FERPA as an individual student or parent. The only enforcement mechanism is that the Department of Education can threaten to pull federal funding from an institution that violates the law. This has never happened. Not once in FERPA's 52-year history.

So when Instructure loses 275 million student records, FERPA provides no direct legal remedy for the students and parents whose data was stolen. The schools are the ones with FERPA obligations, and their defense is straightforward: they contracted with a vendor, the vendor got breached, the school followed its contractual process. FERPA's enforcement structure wasn't designed for a world where a single vendor holds data for thousands of institutions simultaneously.

There are roughly 130 state-level student privacy laws across the United States. Some of them — California's SOPIPA, Illinois's SPDA — have stronger enforcement mechanisms than FERPA, including private rights of action. A lawsuit investigation has already been opened against Instructure. But the patchwork nature of state laws means your protections depend on where your school is located, not on how sensitive your data is.

The Centralization Problem

Canvas holds approximately 50% of the US higher education LMS market by enrollment. It serves over 2,000 K-12 districts. When you count universities, community colleges, K-12 systems, and international education ministries, Instructure's platform touches hundreds of millions of learners.

This concentration creates a specific kind of risk that's different from a typical corporate data breach. When a retailer gets breached, the affected customers chose to shop there. They could have gone elsewhere. Students don't choose their LMS. The school chooses it. The student is enrolled by default, and participation is mandatory — you can't submit your homework on a different platform.

Canvas Data 2 makes the concentration problem worse. It's not just that Canvas stores a lot of data. It's that Canvas Data 2 was specifically designed to aggregate all of that data into a single queryable pipeline, optimized for bulk export. The system's four-hour latency means that data moves from the LMS into the analytics warehouse almost in real time. The feature that makes Canvas Data 2 valuable to institutional researchers — fast, unrestricted, bulk access to everything — is exactly what makes a breach catastrophic.

This is the trade-off that nobody presented to students or parents: your school gets "actionable learning analytics" and in exchange, every interaction you have on the platform gets piped into a centralized data warehouse that, if compromised, exposes everything at once.

What Actually Happened to the Data

ShinyHunters operates on an extortion model. They breach organizations, exfiltrate data, and then threaten to publish or sell it unless a ransom is paid. They listed Instructure on their Tor-based data leak site on May 3, claiming 3.65 terabytes of stolen data.

The practical risk for affected students depends on what ShinyHunters does next. If the data is published, the exposure is permanent and uncontainable. Names, email addresses, student IDs, and message content for 275 million people would be available to anyone — identity thieves, stalkers, advertisers, foreign intelligence services, anyone with a Tor browser.

If a ransom is paid and ShinyHunters deletes their copy (which relies on trusting a criminal organization to honor a deletion promise), the exposure may be contained. Instructure has not disclosed whether ransom negotiations are occurring.

For the individuals whose data was stolen, the realistic risk profile looks like this: student IDs combined with names and institutional email addresses provide enough information for highly targeted phishing. An attacker who knows your name, your school, your student ID, and the platform you use can craft a phishing email that looks indistinguishable from a legitimate Canvas notification. For younger students, the risk extends to their parents, who are likely to interact with emails that appear to come from their child's school.

The message content adds a different dimension. Private communications between students, and between students and teachers, have value beyond financial fraud. They can be used for harassment, for targeted social engineering, or simply for embarrassment. For students who used Canvas messaging to discuss personal matters — health issues, disciplinary situations, accommodations — the exposure is not just a data point. It's a privacy violation with real emotional weight.

What to Do

If you're a student or parent:

Assume your data is part of this breach if your school uses Canvas. Instructure has not yet published a full list of affected institutions. Don't wait for notification — ask your school directly whether they were affected.
Exercise your FERPA rights. You have the right to request access to your education records. Submit a written request to your school's registrar (for higher ed) or principal/district office (for K-12) asking specifically what data was included in their Canvas Data 2 exports and whether your records were part of the compromised dataset.
Watch for targeted phishing. Any email that references Canvas, your school, your student ID, or a course name should be treated with suspicion for the foreseeable future. Don't click links in emails claiming to be from Canvas — go directly to your school's Canvas URL instead.
For parents of children under 13: Your school district has notification obligations under the updated COPPA rule. If you haven't received notification, contact your district and ask specifically about their COPPA compliance for this incident.
Monitor the lawsuit. A class action investigation has been opened. If you're an affected user, understanding your options early matters more than acting immediately.

If you're a school administrator:

Audit what your Canvas Data 2 exports contained. You likely know what data categories you were exporting. Map them against the breach to understand the specific exposure for your students.
Question the data you're collecting. Canvas Data 2 offers access to everything by default. Not every institution needs to export student messages, device characteristics, and behavioral data into a warehouse. The data you don't collect can't be stolen. After this breach, "we export everything because we can" is not a defensible position.

What This Actually Costs

The pitch for centralized edtech platforms has always been efficiency: one system, one login, one analytics pipeline, one vendor to manage. That pitch is real — Canvas genuinely makes institutional administration easier. But the pitch never included the corollary: one vendor, one vulnerability, one breach, 275 million people exposed.

Students didn't choose this system. They were enrolled in it by institutions that valued operational convenience and "learning analytics" over data minimization. The data that was stolen — messages, names, IDs, behavioral records — was collected not because students consented to its collection, but because the platform was designed to collect everything by default, and the institutions buying it never asked whether it should.

COPPA's update was supposed to be the beginning of a harder conversation about children's data in edtech. That conversation just became a lot less hypothetical.

Sources: BleepingComputer, SecurityWeek, TechCrunch, TechRepublic, K-12 Dive, FTC — COPPA Rule Amendments