Canvas Breach Exposes 275 Million Records: May 2026 Intelligence Report

ShinyHunters breached Instructure's Canvas LMS affecting 275 million users at 8,809 institutions. Company paid ransom to prevent data leak. Credential theft campaigns surge as threat actors target educational infrastructure.

This week marked one of the most significant educational data breaches in history, as the Canvas learning management system was compromised by ShinyHunters threat actors, affecting 8,809 universities and educational institutions worldwide with 275 million user records at risk. The incident demonstrates how third-party vendor breaches can create cascading exposure for organizations that rely on centralized platforms.

Canvas Data Breach Creates Historic Educational Exposure

Instructure, the company behind Canvas LMS, disclosed a cybersecurity attack in late April 2026 involving user data including names, email addresses, student ID numbers, and messages among users. ShinyHunters stole 3.65TB of data from the platform, impacting nearly 9,000 organizations. The breach was particularly damaging because Canvas is the most widely adopted learning management system in North American higher education, used by 41% of institutions.

After initial containment efforts failed, ShinyHunters struck again on May 7, replacing Canvas login pages with ransomware messages and threatening to release sensitive data unless their ransom was paid by May 12. Instructure ultimately paid the ransom on May 11, 2026, receiving digital confirmation of data destruction through 'shred logs' from the threat actors.

Credential Theft Operations Target Business Infrastructure

Microsoft disclosed a large-scale credential theft campaign targeting more than 35,000 users across over 13,000 organizations in 26 countries, with 92% of targets located in the U.S. The majority of phishing emails were directed against healthcare and life sciences (19%), financial services (18%), professional services (11%), and technology and software (11%) sectors. The campaign used adversary-in-the-middle phishing tactics to harvest Microsoft credentials and tokens in real-time, effectively bypassing multi-factor authentication.

A separate incident involved the discovery of nearly 149 million stolen usernames and passwords in a publicly accessible database containing 96 GB of raw data. The database was not password-protected or encrypted and could be accessed using a standard web browser. Criminal operations often prioritize speed and scale over operational security, storing data in misconfigured cloud servers that can be discovered through routine internet scanning, and once exposed, such datasets are frequently copied and redistributed.

Manufacturing and Healthcare Sectors Under Sustained Attack

Foxconn's North American facility was hit by a ransomware attack orchestrated by the Nitrogen ransomware group, exposing over 8 TB of data including 11 million files containing confidential information, internal project documentation, and technical drawings. West Pharmaceutical Services Inc became a victim of a cyber attack on May 4th, immediately activating incident response mechanisms, with the nature and quantity of compromised data currently under investigation.

What Individuals Should Do This Week

Given the scope of credential exposure, individuals should immediately audit their email accounts for unauthorized access and review login activity. The exposure of email addresses and account associations could allow criminals to build detailed profiles and increase the success rate of social engineering or phishing attempts, dramatically increasing the likelihood of fraud, potential identity theft, financial crimes, and phishing campaigns. Enable multi-factor authentication on all accounts, particularly educational and financial services, and consider using unique passwords for each platform.

What Businesses Should Do This Week

Organizations must urgently review their third-party vendor security posture and data handling agreements. The Canvas breach exposes a structural vulnerability in how business and educational systems have been digitized, as a single security failure at a single vendor can compromise data across thousands of institutions simultaneously. Third-party risk isn't a compliance checkbox — it's your actual attack surface. Implement vendor security assessments and require regular penetration testing from critical SaaS providers.