If you’re reading this, the odds are pretty good that your kid’s school district, your college, or your local university is on the affected list. About 8,809 institutions worldwide were named in the May 2026 Canvas breach — that’s roughly 7,400 U.S. schools across all 50 states, plus thousands more internationally. Harvard, Stanford, MIT, the entire Ivy League. LAUSD, Chicago Public Schools, Miami-Dade, Clark County, the entire Hawaii Department of Education. Millions of K-12 students. Literally, not metaphorically.

This is the second large education breach in 18 months. The PowerSchool breach we covered back in early 2025 hit roughly 62 million students and 9.5 million educators. Now Canvas. The pattern is clear and it’s not going away.

So let’s skip the panic and get to what you can actually do.

What Got Stolen (And What Didn’t)

The hackers — a group called ShinyHunters that’s been responsible for breaches at Ticketmaster, Salesforce, and several Ivy League universities — claim they took 3.65 terabytes of data representing about 275 million records.

Confirmed stolen:

  • Names
  • School email addresses
  • Student ID numbers
  • Private messages exchanged inside Canvas (between students, between students and teachers, between students and academic advisors)

Confirmed NOT stolen (according to Instructure, the company that makes Canvas):

  • Passwords
  • Dates of birth
  • Social Security numbers
  • Financial information
  • Coursework, grades, or assignments

That sounds reassuring. Here’s the part nobody is saying loudly enough: the private messages are the dangerous part.

Think about what gets typed into Canvas messages:

  • A student asking their professor or teacher about a medical accommodation
  • A college student emailing their advisor about a mental health crisis or a family emergency
  • A K-12 parent messaging a teacher about their child’s behavioral or medical issues
  • Students reporting harassment or discrimination through course channels
  • Faculty discussing specific students with each other

A stolen password gets changed in 30 seconds. The fact that your daughter disclosed an eating disorder to her academic advisor in February 2024 cannot be un-disclosed. That’s the data that’s now in criminal hands, attached to her real name, her real student ID, and her real school email.

This is what makes the Canvas breach worse than the PowerSchool breach in some ways. PowerSchool leaked Social Security numbers — which is bad, but actionable; you freeze credit and move on. Canvas leaked the content of private conversations, which is something you can’t take back.

What’s Actually Going to Happen Next

In our experience covering breaches, here’s the realistic threat model — what scammers will actually try in the coming weeks and months.

1. Highly Convincing Phishing Emails

This is the big one. The stolen data lets scammers send emails that look exactly like they’re from your school, your child’s school district, your registrar’s office, your kid’s actual teacher. The emails will reference real course names, real instructor names, real dates. They will look completely legitimate.

The classic phishing playbook doesn’t work anymore. The new playbook is: “Hi [Real Name], this is [Real Advisor]. I noticed you missed Tuesday’s [Real Course Name] lecture. Click here to access the makeup material before Friday’s quiz.”

That kind of email is going to land in millions of inboxes over the next 90 days.

2. Spoofed District Communications to Parents

For K-12 families specifically, expect emails that look like they’re from the superintendent, the principal, or the school nurse. They will reference real district names, real school calendars, real upcoming events. The goal is usually one of three things:

  • Get you to click a link that installs malware
  • Get you to enter login credentials on a fake page
  • Get you to “verify” payment information for fake fees, fundraisers, or activity costs

3. “Sextortion” and Personal-Data Extortion

Where Canvas messages contained sensitive personal disclosures — and many will have — expect targeted extortion attempts. Scammers will reference real private content from real messages to make threats seem credible. They may demand cryptocurrency payments to “prevent” data from being released, even though the data is already out.

The FBI has explicitly warned that scammers will piggyback on this breach to extort people who may not even have had data exposed. Many of these threats will be bluffs based on the public list of affected schools, not actual stolen data. Do not pay anyone.

4. Synthetic Identity Fraud (For Minors)

Here’s the part most people don’t know: children have credit reports. They’re usually blank, which makes them perfect for criminals to build fake identities on top of. A stolen student ID number combined with publicly available information — your address, your child’s date of birth from school records that may have leaked elsewhere — can be used to open credit accounts, file fake tax returns, and apply for benefits. The fraud often isn’t discovered until the child turns 18 and tries to open their first bank account.

This is exactly what happened with the PowerSchool breach, and the cleanup process for victimized kids took years.

What to Do This Week — A Real Checklist

For Every Family

1. Treat any school-related email as suspicious for the next 90 days.

If your school emails you about anything urgent — a problem with your kid’s grade, a missed payment, a security warning, a deadline — do not click anything in the email. Open a new browser window, go directly to the school’s website by typing the URL yourself, and log in there. If there’s a real notification, it’ll be there.

2. Change passwords anywhere you reused your Canvas password.

If you (or your kid) used the same password for Canvas as you used for email, Amazon, banking, or social media — change all of them now. And use a password manager. Stop reusing passwords.

3. Turn on two-factor authentication everywhere.

Email first. Then banking. Then social media. Then everything else. This single step blocks the overwhelming majority of account takeover attempts. Use an authenticator app (Google Authenticator, Authy, 1Password) rather than SMS where you can — SMS 2FA can be defeated by SIM-swapping.

4. Talk to your kid (if they’re old enough) about what happened.

Especially teens and college students. Tell them:

  • Their school’s Canvas data was stolen
  • It probably included messages they sent to teachers and advisors
  • They should be extremely suspicious of any email or text from “the school” for the next several months
  • If anything weird shows up — a message referencing private things — they should tell you immediately and not pay anyone

For Parents of K-12 Kids (Especially Under 13)

5. Freeze your child’s credit. Right now. All three bureaus.

This is the single most important thing you can do for a minor child’s protection. Yes, kids have credit reports. Yes, you can freeze them. Yes, it’s free. Yes, it’s worth the 30 minutes.

You’ll need your child’s birth certificate, Social Security card, your own ID, and proof of address. Each bureau handles it slightly differently and a couple require mailing documents. Do all three. A freeze on one bureau doesn’t help if a fraudster checks the other two.

6. Ask your school district one direct question.

In writing. To the superintendent’s office or the principal:

What specific student data fields were stored in our district’s Canvas instance, and when will we receive formal notification about whether our child’s data was included in the breach? Under FERPA and our state’s student privacy law, what is the district’s notification timeline?

If the answer is mushy, vague, or “we’re waiting on Instructure,” escalate it — to the school board, to your state Attorney General’s office. Most states have a student privacy office that takes these complaints seriously.

7. If your child is under 13, COPPA applies.

The federal Children’s Online Privacy Protection Act has stricter rules for under-13 data, including specific parental notification rights. The updated COPPA rule took effect April 22, 2026 — just before this breach. Your district has obligations that go beyond standard FERPA. The compliance angle is covered in detail at compliancehub.wiki for anyone who wants the full regulatory breakdown.

For College Students and Their Parents

8. Be extra cautious about anything finals-week related.

The breach hit right in the middle of finals. Scammers know this. Expect emails about “grade disputes,” “transcript holds,” “tuition payment problems,” “registration issues,” “scholarship verification.” Anything that creates urgency around your academic standing is a red flag right now.

9. Watch for “your data is for sale” extortion.

If anyone contacts you claiming they have your private Canvas messages and demands payment to keep them private, do not pay. Document the message (screenshot it). Report it to the FBI’s Internet Crime Complaint Center at ic3.gov. Then tell your university’s IT and security office.

10. Check your student loan and financial aid accounts.

Student ID numbers are sometimes used as identifiers in financial aid systems. Log into FAFSA and your loan servicer accounts — using the direct websites, not links in emails — and verify nothing has been changed.

What This Breach Is Really About

EdTech companies — PowerSchool, Illuminate, now Instructure — have been consolidating for years. A handful of vendors now run the platforms that thousands of schools depend on. When one of them gets hit, everyone gets hit at once.

The PowerSchool breach in December 2024 exposed data on roughly 72 million students and educators. The root cause? PowerSchool’s customer support portal didn’t have multi-factor authentication. A single compromised contractor credential gave the attacker access to data on tens of millions of children.

The Canvas breach is structurally similar — a weak point in a free-account program became the entry point to data on the entire user base. Different vector, same lesson: when the platform underneath your kid’s school has a weakness, your kid’s school has a weakness.

The Bigger Picture for Parents

Schools were not built to be data custodians for millions of children’s most sensitive information, and the vendors they’re forced to use are not built for it either. Until that changes — until procurement officers, school boards, and state legislators treat student data privacy as seriously as student physical safety — these breaches are going to keep happening.

What you can control is your own family’s exposure. Freeze the credit. Use a password manager. Turn on 2FA. Teach your kids to be skeptical of urgent-sounding school emails. Ask your district hard questions in writing.

The Canvas breach is bad. PowerSchool was bad. The next one will be bad too. Your job is to be the parent who already did the boring protective work before it happened.