Need Incident or Breach Response Assistance? Call our Hotline at 844-397-7763
ProCircular
Get Canvas Breach Support →
ShinyHunters Data Leak · Instructure / Canvas LMS

Canvas Breach Customer Lookup

Search the list of 8,809 education institutions ShinyHunters named on their leak site after the April 2026 Instructure / Canvas breach — the LMS used by roughly 41% of higher-education institutions in North America and thousands of K–12 districts. Instructure has confirmed that names, email addresses, student ID numbers, and user-to-user messages were exposed.

The list comes from the threat actor and is not 100% reliable — treat a hit as a trigger to investigate, not a finding of fact. Type any part of a name; results filter as you type. Local-only: nothing you type is sent anywhere.
About this incident — timeline, scope, and the extortion risk

Timeline.

  • April 30, 2026. Instructure detected a service disruption that turned out to be a cybersecurity incident.
  • May 1, 2026. Instructure confirmed an attacker had exploited a vulnerability in its cloud environment to access APIs and privileged credentials. The vulnerability has since been patched, application keys rotated, and customers required to re-authorize their integrations.
  • May 3, 2026. ShinyHunters — a financially motivated cybercrime group also tied to prior attacks on Ticketmaster, AT&T, and Snowflake customers — claimed responsibility on a leak site and published a list of 8,809 affected institutions. Major universities including Penn, Duke, and Michigan have publicly confirmed they appear on the list.

What Instructure has confirmed exposed:

  • Names
  • Email addresses
  • Student ID numbers
  • User-to-user messages

What Instructure has stated was NOT involved: passwords, dates of birth, government identifiers, financial information.

Unverified threat-actor claims. ShinyHunters' bigger claims — 275 million records, 3.65 terabytes of data, and a separate breach of Instructure's Salesforce instance — remain unverified and are almost certainly inflated for extortion leverage.

Why direct extortion of individual schools is the real risk. Canvas is multi-tenant SaaS — every institution's data lives in shared infrastructure but is logically segmented by tenant, and the actor's already-published per-institution record counts confirm the dataset has been sliced by school. The PowerSchool incident from late 2024 is the direct precedent: after PowerSchool paid a $2.85 million ransom and received what was supposed to be proof of data deletion, the threat actor turned around in May 2025 and started emailing individual school districts directly demanding additional payments. Districts in North Carolina, the Toronto District School Board, and others received "pay or leak" emails — some signed "ShinyHunters."

Expect the same pattern against Canvas institutions over the coming weeks, including bluffs from imitators trying their luck with the public list. Authenticity verification of any data sample is the first response. Do not negotiate, do not pay, do not engage without third-party triage.

Caveats on this list. The 8,809 names are from the threat actor and are not 100% reliable. Inclusion is not independent confirmation that an institution's user data was successfully exfiltrated — treat it as a trigger to investigate. Names were extracted verbatim from the public DLS text file (8,790 unique entries here after deduplication); some Swedish, Spanish, and Portuguese accented characters render as ? due to upstream encoding artifacts.

0 matches
Found Your Institution?

Here's what your institution should be doing now.

A name on the ShinyHunters list is a credible trigger to act. The exposure most institutions aren't planning for is direct extortion of individual schools — the same pattern that hit K–12 districts after the PowerSchool incident.

Critical: Expect "pay or leak" emails sent directly to your institution — including bluffs from imitators trying their luck with the public list. Do not negotiate, do not pay, do not engage without third-party triage and authenticity verification of any data sample.

Three actions to take now

  1. Audit your Canvas tenant for persistence. Look for unfamiliar admin accounts, developer keys, LTI tools, and webhook subscriptions. Instructure's central credential rotation does not cover persistence mechanisms inside your tenant.
  2. Establish an extortion-email escalation path before one arrives. Decide in advance who receives it, who they call, and the standing rule that you do not negotiate, pay, or respond without third-party verification.
  3. Brief help desk and faculty on elevated phishing risk. Stolen names, institutional email addresses, and course context make for very convincing impersonation — against students, parents, and staff alike.

ProCircular is supporting affected education customers with incident response, Canvas tenant audits, and extortion triage. Reach out to your account team or contact us directly.

Get Canvas Breach Support → or call the 24/7 IR hotline: 844-397-7763
Built and maintained by ProCircular — an Iowa-based cybersecurity firm specializing in incident response, vCISO, penetration testing, and risk assessments for education, healthcare, and finance.
Data source: ShinyHunters DLS leak file (publicly posted, claimed 8,809 institutions). Searchable here: 0 unique entries after deduplication. This page is informational and does not host or link to leaked data. If you believe an entry should be removed, open an issue.