If you take or teach a class on Canvas in California, your name, school email, student ID, course history, and platform messages may be among the data exposed in the May 2026 Instructure breach — here's what happened and the steps to protect yourself.
Instructure has confirmed a security incident affecting Canvas. Statements below about how the attack was carried out, the volume of data taken, and the threat actor's conduct reflect reporting, threat-intelligence research, and class action allegations — they are unproven, and no court has ruled on them. This page is informational and is not legal advice.
| Reported as Exposed | Reported Not Stored / Protected |
|---|---|
| Full student and faculty legal names | Account passwords (salted and hashed) |
| Institutional / campus email addresses | Social Security numbers |
| Internal student ID numbers | Dates of birth |
| Course titles, rosters, and enrollment history | Tuition and financial billing records |
| Private messages sent on the platform | Core learning data (graded work, file uploads) |
Yes. The May 2026 cyberattack on Instructure, the maker of the Canvas learning management system, disrupted all 23 California State University (CSU) campuses and all 116 California Community Colleges, along with thousands of other schools that use Canvas worldwide.
Instructure has indicated that exposed data may include full names, institutional email addresses, internal student ID numbers, course rosters and enrollment history, and private messages sent on the platform. Instructure has stated that account passwords were stored in salted, hashed form and that Social Security numbers, dates of birth, and tuition/financial records were not stored in the affected system.
According to forensic reporting and class action filings, attackers allegedly exploited a cross-site scripting (XSS) weakness tied to user-generated content in Canvas, captured authenticated administrator sessions, and used those tokens to run privileged API calls. These remain allegations; no court has ruled on the cause.
Multiple class action lawsuits have reportedly been filed against Instructure over the breach. There is no settlement and nothing to claim yet. You can follow the litigation on our Canvas data breach class action page.
Be alert for phishing emails and texts referencing Canvas, your grades, financial aid, or a "restoration fee"; do not click password-reset links in unsolicited messages. Review approved integrations and API tokens in your Canvas account settings, use a unique password for your campus login, and enable multi-factor authentication on your single sign-on account.
Free settlement alerts
Join thousands of readers who get the latest class action settlements you may qualify for — delivered straight to your inbox.