Illustration of a digital lock breaking on a school tablet displaying the Canvas logo, with shadowy figures in the background representing hackers.
Illustration of a digital lock breaking on a school tablet displaying the Canvas logo, with shadowy figures in the background representing hackers.

The breach highlights growing risks in ed-tech vendor systems. If someone you know uses Canvas at school, this may be worth sending their way.

Hackers Access Data of 275M Students Story flow and key facts

A data breach affecting Canvas, a widely used learning management system, has raised alarms across the U.S. education sector. On May 1, 2026, Instructure, the company behind Canvas, notified school districts including Wayzata Public Schools in Minnesota that hackers had gained access to certain internal systems. The breach potentially exposed names, email addresses, student ID numbers, and internal Canvas messages of up to 275 million users across more than 9,000 schools globally.

Wayzata officials emphasized that the breach was limited to Instructure’s systems and did not compromise the district’s internal networks. No passwords, dates of birth, Social Security numbers, or financial information were accessed, according to Instructure. The company has since contained the incident, revoked privileged credentials, deployed security patches, and increased monitoring. Steve Proud, Instructure’s Chief Information Security Officer, said the company is working with external forensics experts to assess the full impact.

The breach underscores growing concerns about third-party vendor security in education technology. Canvas is used for homework, grading, and student communication in thousands of schools, making it a high-value target. While no evidence suggests the data has been misused yet, families are urged to watch for phishing attempts and monitor accounts for suspicious activity. The investigation is ongoing, and it remains unclear how many individuals were affected or whether any data was specifically targeted in Minnesota or other regions.

Facts

  • On May 1, 2026, Instructure notified Wayzata Public Schools of a data breach affecting Canvas systems.
  • Hackers accessed names, email addresses, student IDs, and internal Canvas messages of up to 275 million users across 9,000 schools.
  • No passwords, dates of birth, government IDs, or financial data were compromised, according to Instructure.
  • The breach occurred at the vendor level; Wayzata’s internal networks were not breached.
  • Instructure has contained the incident, revoked credentials, and deployed security patches.
  • Families are advised to watch for phishing attempts and monitor student accounts for unusual activity.

Canto visual news explainer. AI tools may assist production. Editorial policy