Instructure Canvas Data Breach Lawsuit 2026, Were You Affected? Here Is What Is Happening

Instructure, the U.S.-based education technology company behind Canvas — one of the most widely used learning management systems in the world — has confirmed that data was stolen in a cyberattack, with the ShinyHunters extortion gang claiming responsibility. Instructure first detected service disruptions affecting tools relying on API keys on April 30, 2026, and by May 1, 2026, confirmed that a criminal threat actor was behind the incident. If you are a student, teacher, or school employee who uses Canvas, your personal information and private messages may have been taken.

Field	Detail
Defendant	Instructure Holdings, Inc.
Alleged Violation	Failure to implement reasonable cybersecurity safeguards; data breach
Who Is Affected	Students, teachers, and staff at Canvas-using institutions worldwide
Breach Detected	April 30, 2026
Data Exposed	Names, email addresses, student ID numbers, private Canvas messages
Current Court Stage	Pre-litigation — class action investigation active
Court & Jurisdiction	TBD — no complaint filed yet as of May 5, 2026
Lead Law Firm	Chimicles Schwartz Kriner & Donaldson-Smith LLP (investigating)
Next Hearing Date	TBD — no case filed yet
Official Case Website	TBD — no settlement or case site yet
Last Updated	May 5, 2026

What Is the Instructure Canvas Lawsuit About?

Canvas is one of the most widely used learning platforms across educational institutions and other organizations, and Instructure is based in Salt Lake City, Utah. Following a $4.8 billion acquisition by KKR and Dragoneer Investment Group in 2024, the company now operates privately with a global footprint spanning more than 100 countries.

On Friday, Instructure disclosed it suffered a cybersecurity incident and began working with third-party cybersecurity experts and law enforcement to investigate. The company confirmed that the personal information of users was exposed, including certain identifying information of users at affected institutions — names, email addresses, and student ID numbers — as well as messages among users.

ShinyHunters gave Instructure a deadline and a threat: “FINAL WARNING PAY OR LEAK.” The group claimed the stolen data includes PII connected to students, teachers, and staff, plus several billions of private messages exchanged by Canvas users, and alleged that Instructure’s Salesforce instance was also breached. Instructure has not publicly confirmed the Salesforce claim or the total scale of the theft. This is Instructure’s second confirmed breach in approximately eight months — in September 2025, the same group exploited a social engineering attack against the company’s Salesforce environment, raising serious questions about whether remediation efforts following the first breach were sufficient.

For context on how similar data breach class action cases against education technology companies have proceeded, the Conduent data breach class action — which exposed over 25 million healthcare records tied to Medicaid and major insurers — reached consolidated federal litigation within months of disclosure.

Are You Part of the Instructure Canvas Class Action Lawsuit?

No class has been formally certified yet, and no complaint has been filed in federal court as of May 5, 2026. But law firms are actively investigating, and the class of people who could be included is already taking shape. Here is how to know if this case includes you.

Related article: Meta AI Copyright Class Action For AI-Training, Five Major Publishers and Author Scott Turow Accuse Llama of Book Piracy

You may be part of this class if you are a student who used Canvas at any school or university where the breach affected institutional data. You may be part of this class if you are a teacher or staff member whose name, institutional email address, or student ID number was stored in Instructure’s systems. You may be part of this class if you sent or received private messages through Canvas — the private-message claim adds a more sensitive category of data to the alleged breach, since Canvas messages could reveal how students and teachers communicate during the school day, from assignment questions and feedback to academic concerns or extension requests. You may be part of this class if you attend or work at an institution using Canvas in North America, Europe, or Asia-Pacific. Data shared by the threat actor indicates the alleged dataset spans almost 15,000 institutions hosted across multiple geographic regions, including North America, Europe, and Asia-Pacific.

You are likely NOT included if your school or university does not use Canvas as its learning management system. You are likely NOT included if your institution uses a completely self-hosted version of Canvas with no Instructure cloud infrastructure involved.

Canvas counts over 30 million active users as customers. ShinyHunters has claimed the breach could affect up to 275 million individuals across nearly 9,000 schools. Instructure has not confirmed those numbers — the investigation is still active.

What Are Instructure Plaintiffs Seeking in This Lawsuit?

No complaint has been filed yet, so no specific damages figure appears in court documents. However, the legal basis for claims is already clear based on what law firms are investigating.

Data breaches involving student and educator information can create serious risks of targeted phishing, identity theft, impersonation, and social engineering attacks. With names, institutional email addresses, student IDs, and private messages in the wrong hands, attackers can craft highly convincing scams that appear to come from a school administrator, teacher, or classmate.

Based on the type of data exposed and the scale of the breach, any class action would likely seek compensatory damages for identity theft risk, out-of-pocket costs victims incur protecting themselves, and injunctive relief requiring Instructure to overhaul its cybersecurity practices. The legal theories in play — negligence, breach of implied contract, and unjust enrichment — are the same ones courts have accepted in virtually every major personal data stolen settlement case filed over the last five years. No money is available yet. No claim form exists. If and when a settlement is reached, affected users will receive formal notice.

For comparison, the AT&T data breach settlement resulted in $177 million for 73 million customers after two 2024 breaches involving similar categories of personally identifiable information.

What Should You Do If You Were Affected by Instructure?

You do not need to file anything or contact anyone right now to preserve your place in any future class action. Most class members are automatically included if they meet the eligibility criteria when a case is certified.

Check your email. Instructure revoked privileged credentials and access tokens, deployed security patches, rotated application keys, and implemented increased monitoring across all platforms. Customers were required to re-authorize access to Instructure’s API for new application keys to be issued. If your school sent you a reauthorization notice, that is connected to this incident.

Change your Canvas password now as a precaution. Preliminary findings suggested there is no evidence that passwords, dates of birth, government-issued identifiers, or financial information were compromised — but reusing passwords across services is never safe, especially after a breach of this scale.

Watch for phishing attempts. Your institutional email address and name are now potentially in a criminal database. Expect emails that appear to come from your school, a professor, or Canvas itself. Do not click links in unexpected emails. Go directly to your school’s official website instead.

Save any Canvas communications you have. Emails, course notifications, and screenshots confirming your enrollment at an affected institution may become relevant if you need to demonstrate you were a user during the breach period.

Consult a consumer rights lawyer if you experience actual identity theft, receive phishing messages that result in financial loss, or want to understand your options as a potential plaintiff in the class action settlement eligibility process.

Instructure Canvas Class Action Lawsuit Timeline

Milestone	Date
Service disruptions first detected	April 30, 2026
Instructure confirms criminal threat actor	May 1, 2026
Incident declared contained	May 2, 2026
ShinyHunters lists Instructure on leak site	May 3, 2026
ShinyHunters deadline to “pay or leak”	May 6, 2026
Class action investigation announced (Chimicles Schwartz)	May 4, 2026
Federal complaint filed	TBD — no lawsuit filed yet as of May 5, 2026
Class certification motion	TBD — pending complaint filing
Expected settlement timeline	TBD — typically 18–36 months after filing in comparable cases

Frequently Asked Questions

Is there a class action lawsuit against Instructure for the Canvas breach?

 Not yet — as of May 5, 2026, no complaint has been filed in federal court. Chimicles Schwartz Kriner & Donaldson-Smith LLP is actively investigating potential class action claims against Instructure in connection with the cyberattack and data breach that may have compromised sensitive personal information of students, teachers, and staff at educational institutions worldwide.

Do I need to do anything right now to be included in a future lawsuit? 

No. If a class is certified and a settlement is reached, you will receive notice at the email address your institution has on file. Save any Canvas-related emails you receive from your school over the coming weeks and keep records of your enrollment or employment at an affected institution.

Was my password stolen in the Instructure breach?

 Instructure stated there is no evidence that passwords, dates of birth, government-issued identifiers, or financial information were compromised. However, changing your Canvas password is still a reasonable precaution, and you should change it anywhere else you reuse the same credentials.

How many people does this breach actually affect?

 ShinyHunters claims the data consists of over 240 million records tied to students, teachers, and staff. Instructure’s public updates confirm a breach but stop short of confirming the scale claimed by ShinyHunters. The investigation is ongoing and the true number has not been officially confirmed.

Can I file my own lawsuit against Instructure instead of joining the class action? 

Yes — you have the right to pursue an individual claim if you experienced actual financial harm. But for most affected users, a class action is the more practical path. Consult a data privacy attorney or a class action lawsuit attorney to understand which option fits your situation.

How will I know if the Instructure case settles?

 Once a settlement is reached and preliminarily approved by a federal court, a settlement administrator will send notice to affected individuals by email. You can also monitor updates directly from Instructure at instructure.com and watch for filings in federal court. No official case website exists yet.

Is this the first time Instructure has been breached? 

No. This follows Instructure’s own separate breach in September 2025, which resulted from a social engineering attack on its Salesforce instance. Two confirmed breaches by the same threat group in under a year raises serious questions about the company’s remediation efforts after the first incident — and that pattern is exactly the kind of evidence plaintiffs use to argue negligence in a consumer fraud lawsuit.

What data was specifically taken in this breach?

 Instructure confirmed the information involved consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users. The ShinyHunters group also claims to have billions of private messages and data from Instructure’s Salesforce system, though Instructure has not confirmed those additional claims.

Sources & References

• Instructure CISO Statement (May 1–2, 2026):

Prepared by the AllAboutLawyer.com Editorial Team and reviewed for factual accuracy against Instructure’s official CISO statements, BleepingComputer reporting, and Chimicles Schwartz Kriner & Donaldson-Smith LLP’s investigation disclosure. Last Updated: May 5, 2026

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Legal claims and outcomes depend on specific facts and applicable law. For advice regarding a particular situation, consult a qualified attorney.