SAN FRANCISCO, May 27, 2026 /PRNewswire/ -- Schubert Jonckheer & Kolbe LLP is investigating a data breach that led to unauthorized access to the sensitive information of Canvas users, a cloud-based learning management system operated by Instructure, a Utah-based educational technology company.

On April 29, 2026, Instructure first detected unauthorized access to its systems. On May 3, 2026, the cybercriminal group ShinyHunters shared a ransom note, claiming to have exfiltrated 275 million individuals' data and billions of private messages. On May 7, 2026, ShinyHunters defaced Canvas login pages with a ransom demand, preventing students and instructors from accessing the platform, and causing delays relating to assignment deadlines, grading, and exams. Instructure disclosed that the unauthorized actor exploited an issue relating to its Free-for-Teacher accounts, which Instructure has since temporarily disabled, but it is unclear whether Instructure responded to ShinyHunters' ransom demand.

According to ShinyHunters, 9,000 schools worldwide were affected, including elementary, middle, and high schools in California, Florida, Georgia, Oklahoma, Oregon, Nevada, North Carolina, Tennessee, Utah, Virginia, and Wisconsin, and the following universities:

• Columbia University
• Rutgers University
• Princeton University
• Kent State University
• Harvard University
• Georgetown University
• University of Pennsylvania
• University of Washington
• University of California, Riverside
• James Madison University
• Massachusetts Institute of Technology (MIT)

Some affected schools have temporarily disabled Canvas access following the attacks.

Instructure has not yet reported either data breach to state attorney general offices, which may have violated federal or state laws.

The following data may have been compromised in the April 29 breach: names, institutional email addresses, student identification numbers, and private Canvas messages. Instructure's investigation of the May 7 breach is ongoing, and the full scope of the breach is not yet known.

If your personal information was impacted by this incident, you may be at risk of identity theft and other serious violations of your privacy. As a result, you may be entitled to money damages and an injunction requiring changes to Instructure's cybersecurity practices.

If you received notification of this data breach or are a Canvas user, or affiliated with the above educational institutions, and wish to obtain additional information about your legal rights, please contact us today or visit our website at https://www.classactionlawyers.com/canvas.

About Schubert Jonckheer & Kolbe LLP

Schubert Jonckheer & Kolbe represents shareholders, employees, and consumers in class actions against corporate defendants, as well as shareholders in derivative actions against their officers and directors. The firm is based in San Francisco, and with the help of co-counsel, litigates cases nationwide.

Contact
Sonum Dixit
Schubert Jonckheer & Kolbe LLP
sdixit@sjk.law
Tel: 415-299-8207

View original content:https://www.prnewswire.com/news-releases/privacy-alert-instructures-canvas-learning-management-system-under-investigation-for-data-breach-allegedly-affecting-nearly-275-million-users-302767891.html

SOURCE Schubert Jonckheer & Kolbe LLP