We are writing to alert you to a cybersecurity incident affecting Instructure, the parent company of the Canvas learning management system. Because Canvas is widely used by our independent school clients, many of you are likely within the population of approximately 9,000 affected institutions worldwide. Please contact us if you need to confirm whether your school is affected by the Canvas/Instructure data breach.
This email summarizes what we know about the breach, outlines the response schools we suggest taking, and flags the legal and procedural considerations that we recommend shape that response. We strongly encourage you to contact us before acting publicly or operationally on this incident. Early counsel involvement is important to preserve privilege, coordinate with insurers and service providers, and avoid missteps that can compound exposure.
Nature and Scope of the Breach
Between late April and early May 2026, the criminal extortion group ShinyHunters breached Instructure and claims to have stolen 3.65 terabytes of data affecting approximately 275 million users across nearly 9,000 educational institutions. Instructure has confirmed the incident, identified the entry point as a vulnerability in its “Free-For-Teacher” account tier, and suspended that tier as of May 8, 2026. The threat actor has set a May 12, 2026 deadline for individual schools to negotiate before publishing their data.
According to Instructure (though unverified), the data accessed may be limited to names, school-issued email addresses, student identification numbers, and the contents of messages exchanged within Canvas, including student-to-student, student-to-teacher, and staff communications. Instructure has stated (also unverified) that passwords, dates of birth, government identifiers, and financial information were not compromised, and many schools may not be retaining such data within Cavas. ShinyHunters disputes that limited scope and claims access to a substantially broader dataset.
Steps Schools Should Consider Taking Immediately
Engage Counsel. Before issuing communications, contacting Instructure for scope information, or initiating internal investigations, we recommend that schools engage cybersecurity counsel. Doing so allows the school’s incident response — including forensic review, vendor communications, and internal investigations — to proceed under the attorney-client communications and work-product privileges. Communications and documents created outside that structure may be discoverable in potential later legal actions. We can step in immediately to help direct your response, coordinate with Instructure, and ensure appropriate incident response.
Notify Cyber Insurance Carrier. Even if you anticipate that response costs will not exceed your retention, most policies require timely notice of a cybersecurity event or potential claim as a condition of coverage, and late notice is a common reason coverage is denied. Notification at this stage is protective, not committal. We routinely handle carrier notifications for schools and can help make the notification in a manner that preserves coverage without overstating exposure.
Informal Notification to School Community. Schools should consider issuing a brief, plain-language notice to parents, students, faculty, staff and the school community informing individuals about the vendor incident, identifying what is known and not yet known, and providing a single point of contact. The notice should not speculate on scope and is not a substitute for formal breach notification, which would be performed later. We have model language tailored to independent schools that we can help adapt for your community.
Systemic Credential and Access Resets. Although Instructure states that passwords were not exposed, defensible incident-response practice is to rotate credentials that might have been exposed. This includes the following:
- Precautionary password reset across the school’s single sign-on environment, such as Google Workspace, Microsoft Entra/Azure, etc.
- Revocation and reissuance of API tokens, authentication credentials, LTI keys, and developer keys connected to Canvas.
- Rotation of any service-account credentials used for SIS-to-Canvas synchronization.
- If your school uses Canvas-native multi-factor authentication, the underlying TOTP seeds (used by Google Authenticator and similar apps) reside on Instructure infrastructure and should be re-enrolled.
- If MFA is provided through your single-sign-on identity provider, the authenticator entries themselves are not in scope, though a precautionary refresh remains defensible for elevated accounts.
- Free-For-Teacher accounts tied to school email addresses should be reset and audited, and a forward-looking policy prohibiting personal FFT accounts for school activity merits consideration.
The sequence and scope of these resets should be coordinated with counsel and IT leadership to avoid operational disruption and to preserve forensic evidence.
Plan Extended Timeline. Schools should expect to wait weeks to months for Instructure to issue a final post-incident report and individualized scope letters identifying which records belonging to your institution were accessed. Public reporting indicates Instructure has not yet committed to a specific date for those deliverables, has not posted the incident to its social channels, and has at times trailed events on its own status page. Formal breach-notification obligations under state law, FERPA implications, obligations under your data processing agreement with Instructure, and any regulatory inquiries will all unfold against that delayed information environment. We can help you press Instructure for tenant-specific information, evaluate breach-notification triggers as facts develop, and stage your communications accordingly.
Designate Dedicated Points of Contact. We recommend that each school identify a small, named incident-response team, and establish a dedicated incident email address (e.g., incident@[school].edu) and a dedicated phone line for community inquiries. Front-line staff should receive a brief script and an escalation path. Concentrating inquiries through these channels ensures appropriate record keeping and consistent messaging, and prevents well-meaning but unscripted responses from individual staff members creating evidentiary problems later.
Conclusion and Action Items
Schools using Canvas should consider taking the following steps: (i) engage cybersecurity counsel before acting further; (ii) notify your cyber insurance carrier; (iii) appoint an incident response team and stand up dedicated communication channels; (iv) issue informal community notification; (v) conduct systemic credential and integration-token resets in coordination with IT and counsel; and (vi) prepare for a multi-month timeline of additional disclosures from Instructure and corresponding obligations under state and federal law and your data processing agreements.
This incident is unusual in its scale, and the legal, regulatory, and reputational considerations are intertwined in ways that benefit substantially from early, deliberate and coordinated activity. Please call us directly if you have question. We are actively advising our school clients on this matter and can move quickly. Thank you.