Published
June 20, 2026
Allegations Only · No Settlement Yet
This article describes class action complaints and an attacker's public claims. The lawsuit statements below are unproven allegations. Instructure has not been found liable, there is no certified class, and nothing to claim at this time. This page is informational and is not legal advice.
Status
Breach Confirmed · Lawsuits Filed
Early-stage class actions · e.g. Sarkis v. Instructure (D. Utah)
Confirmed Data
Names, emails, student IDs & Canvas messages
Instructure says no evidence passwords, SSNs, dates of birth or financial data were taken
Attacker Claim (unverified)
~3.65 TB · hundreds of millions of users
ShinyHunters' figures · not confirmed by Instructure
Can I Claim?
No — nothing to claim yet
No settlement, no fund, no claim form at this stage
What Is This About?
Instructure, the company behind Canvas — the learning management system (LMS) used by a large share of U.S. colleges, universities, and K-12 schools — confirmed a data breach affecting Canvas. After the breach became public, multiple proposed class action lawsuits were filed against the company on behalf of students and other Canvas users whose information was exposed.An early filed case is Sarkis v. Instructure, Inc., No. 2:26-cv-00380, in the U.S. District Court for the District of Utah, where Instructure is based. Additional class actions have been reported in other courts. The suits allege Instructure failed to adequately safeguard the personal information of Canvas users. Instructure has not been found liable, and the claims remain unproven.
What Instructure Confirmed
According to Instructure, the incident involved names, email addresses, student ID numbers, and messages exchanged among Canvas users. The company has said it found no evidence that passwords, dates of birth, government identifiers such as Social Security numbers, or financial information were involved. Instructure said it detected unauthorized access in late April 2026, cut off the access, engaged outside forensic experts, and began notifying affected parties. The company has also acknowledged a follow-on intrusion in which attackers defaced a number of Canvas school login portals, and reporting indicates Instructure ultimately paid a ransom in exchange for the return or destruction of the data.Confirmed Data vs. the Attacker's Claims
As with many breaches, there is a large gap between what the company has confirmed and what the attacker claims:• Instructure-confirmed: the categories of data above (names, emails, student IDs, Canvas messages); the company has not confirmed any victim count or data volume.
• Attacker claim (unverified): the extortion group ShinyHunters claimed it exfiltrated roughly 3.65 terabytes of data affecting hundreds of millions of students, teachers, and staff across thousands of institutions. Multiple security outlets have described these figures as unverified, and Instructure has not confirmed them.
The reliable takeaway is the confirmed list of data categories; the eye-catching "hundreds of millions" scale is the attacker's claim, not an established fact.
Lawsuits and Government Scrutiny
The class action complaints allege Instructure failed to implement reasonable data-security measures to protect Canvas users' personal information, with some complaints pointing to inadequate encryption and to the disruption students faced around finals when the incident unfolded. The complaints seek damages, long-term identity-theft protection, and orders requiring stronger security. As with any complaint, these are allegations only, and no court has ruled on them.The breach has also drawn attention from Congress: the House Homeland Security Committee and the Senate HELP (Health, Education, Labor & Pensions) Committee both sent inquiries to Instructure seeking details about the incident, the data involved, and a separate earlier compromise the company has acknowledged.
Is There a Canvas Breach Settlement Yet?
No. These are lawsuits, not a settlement.That means:
• There is no settlement fund.
• There is no claim form.
• There is no payout, and no deadline to act.
The cases are at the very beginning of the litigation process, with no class certified and no consolidation into a single proceeding confirmed. If the litigation is ever resolved through a settlement, or a class is certified, a formal claims process with its own eligibility rules and deadlines would be announced separately. Be cautious of any website that claims you can "file a claim" for this matter today.
What Should Canvas Users Do Now?
Because the confirmed data did not include passwords or financial information, the most useful steps are practical: be skeptical of phishing emails or texts that reference your school, Canvas, or a "data breach claim," and change your Canvas password as a precaution. Students and parents concerned about student ID exposure can watch for unusual account activity. There is nothing to claim right now; keep any breach notice you receive in case a settlement or certified class later opens a claims process.This page is informational and is not legal advice. People with questions about their individual rights may want to speak with a licensed attorney in their state.
Frequently Asked Questions
Is there a Canvas data breach settlement yet?
No. Class action lawsuits have been filed against Instructure, but there is no settlement, no fund, and no claim form. Instructure has not been found liable.What data was exposed in the Canvas / Instructure breach?
Instructure confirmed names, email addresses, student ID numbers, and Canvas user messages. It says it has no evidence that passwords, dates of birth, Social Security numbers, or financial information were involved.How big was the Canvas data breach?
Instructure has not confirmed a victim count. ShinyHunters claimed ~3.65 TB and hundreds of millions of users across thousands of schools — unverified attacker figures the company has not confirmed.Sources
• BleepingComputer — Instructure confirms Canvas intrusion and portal defacement• KrebsOnSecurity — reporting on the Canvas breach disruption
• Reed Smith — "Canvas/Instructure cyberattack: key developments"
• Court records — Sarkis v. Instructure, Inc., No. 2:26-cv-00380 (D. Utah)
Free settlement alerts
Get notified when new class actions open to claims
Join thousands of readers who get the latest class action settlements you may qualify for — delivered straight to your inbox.
For more class actions keep scrolling below.
Status
Breach Confirmed — Class Actions Filed
Lead Case
Sarkis v. Instructure, Inc.
Case Number
2:26-cv-00380
Court
U.S. District Court, District of Utah
Confirmed Data
Names, emails, student IDs, Canvas messages
Disclosed
Late April – May 2026
