The Largest Education Data Breach: A Vendor Attack Unveiled
May 7, 2026
Image by: C messier
Summary
ShinyHunters breached Instructure’s Canvas learning management system, targeting 9,000 institutions worldwide, including 44 Dutch universities and schools. The hack resulted in the exposure of 3.65 terabytes of data from 275 million users, highlighting the risks associated with vendor concentration in education technology.
Breach Details
- Date: 30 April
- Perpetrators: ShinyHunters
- Target: Instructure’s Canvas LMS
- Affected Users: 275 million
- Institutions: Nearly 9,000 educational institutions globally, including 44 Dutch schools.
- Stolen Data: Private messages between students, teachers, and staff.
The Impact
The breach exposes a critical structural vulnerability:
- Schools were not the target but instead victims of a vendor attack.
- Years ago, they entrusted student data to a single vendor, losing control over security.
About Instructure
- Founding: 2008
- Market Dominance: Canvas became the dominant LMS in the U.S., overtaking Blackboard.
- Recent History:
- Went public in 2015.
- Acquired by Thoma Bravo for $2 billion in 2020.
- Sold again to KKR and Dragoneer Investment Group for $4.8 billion in November 2024.
- Current Status: Private entity owned by a large alternative asset manager, serving 200 million learners globally.
- Products: Canvas LMS, Canvas Studio, Mastery Assessment.
Prior Breach
This is Instructure’s second confirmed breach in eight months, with ShinyHunters exploiting vulnerabilities in September 2025.