TL;DR
Instructure confirmed a data breach of its Canvas learning platform affecting roughly 275 million users worldwide. Names, emails, student IDs, and user messages were reportedly exposed. ShinyHunters claimed responsibility. If you're a student, instructor, or administrator using Canvas, take three actions: (1) save your coursework, grades, and key communications as PDFs immediately using Convert: Web to PDF; (2) change your Canvas password and any reused passwords; (3) watch for phishing emails that reference your real Canvas details. This post covers what to save, how to save it locally without uploading sensitive academic records to risky online tools, and how to track future breach updates.
What Happened With the Canvas / Instructure Breach
Instructure, the company behind the Canvas learning management system used by thousands of universities and K-12 districts, confirmed a data breach in May 2026:
- ShinyHunters threat actor claimed responsibility
- Approximately 275 million users impacted across thousands of educational institutions
- Exposed data reportedly includes: names, email addresses, student IDs, and user messages
- Investigation ongoing as of early May 2026
- Affected institutions include K-12 districts, community colleges, and major universities
Canvas is one of the most widely used LMS platforms globally. Many students have YEARS of coursework, exam history, professor communications, and academic records inside it. A breach of this scale combined with an LMS that holds long-term student data is a worst-case scenario for academic privacy.
Why You Should Act Even If "Just" Names and Emails Were Exposed
A common reaction to breaches is "well, my name and email are already public." That misses what makes LMS breaches different:
Phishing context. Attackers know which Canvas instance you use, which courses you're enrolled in, and possibly which professors message you. A targeted email pretending to be your professor's TA asking you to "review your final grade" is much more credible.
Academic record exposure. Even if grades weren't fully exposed in this incident, the structured combination of student ID + name + email is highly identifying for credential-stuffing attacks against other student systems.
Long-term retention. Canvas often stores coursework, submissions, and feedback for years. If the breach extended to message contents, multi-year academic communications could be exposed.
Cross-platform risk. Student emails and IDs reused across systems (financial aid portals, library systems, university email) create cross-system risk.
The next 60-90 days are the highest-risk window for phishing and identity exploitation following a breach of this size.
Step 1: Save Your Coursework as PDFs
Before doing anything else, capture your academic record. Don't assume Canvas data will remain accessible long-term — institutions sometimes archive courses, change retention policies, or revoke access after graduation.
What to Save Immediately
Current term:
- Course syllabi for every active course
- Assignment instructions you may need to reference later
- Your submitted assignments and the feedback you received
- Discussion board posts (yours and important threads)
- Quiz/exam attempt records (if visible)
- Grades displayed in Canvas gradebook
- Course modules and content
Past terms:
- Grade reports for every completed term
- Final exam feedback
- Major papers with rubric annotations
- Evaluations and comments from instructors
Communications:
- Inbox messages from instructors with academic information
- Office hours scheduling threads
- Letters of recommendation discussions
- Academic integrity communications (if any)
Convert: Web to PDF saves Canvas pages cleanly as PDFs in your browser without uploading anything to an external server. This is critical for academic records: many free online PDF tools retain copies of what you upload, and you don't want your coursework on someone else's server.
What Format to Save In
PDF preserves:
- Visual layout (important for assignment instructions and rubrics)
- Date stamps (which can matter for academic integrity records)
- Submission timestamps
- Grader comments inline
PDFs also live in standard file systems where you control storage, unlike Canvas's archive policies which vary by institution.
Step 2: Change Your Canvas Password and Anywhere It's Reused
Canvas passwords are commonly reused across:
- University email accounts
- Library systems
- Student financial aid portals
- Course-related external tools (Turnitin, Pearson, etc.)
- Personal Google/Outlook accounts (if students are sloppy)
If you reused your Canvas password anywhere:
- Change it on Canvas first
- Change it everywhere else immediately
- Enable two-factor authentication where available
- Use a password manager going forward (1Password, Bitwarden, etc.)
For institutions using Single Sign-On (SSO) for Canvas, the relevant password is your university's main credential — and that's the one that needs to be rotated.
Step 3: Watch for Phishing in the Next 90 Days
Targeted phishing after LMS breaches typically follows these patterns:
"Action required on your Canvas account." Links to fake Canvas-look-alike login pages. Always type the real Canvas URL or use bookmarks rather than clicking links.
"Your final grade has been updated." Particularly effective near term-end. Real grade updates are visible on the gradebook page; you don't need an external link.
"Refund / financial aid disbursement." Phishing that mixes Canvas knowledge with financial aid panic. Always log into the real student portal directly.
"Professor wants to discuss your submission." Personalized using exposed name, course, professor contact. Real professor emails come from your university's @ domain — verify the sender.
"Update your account to prevent suspension." Urgency-driven phishing. Canvas doesn't suspend accounts via email links.
When in doubt:
- Don't click email links related to Canvas
- Go directly to your bookmarked Canvas URL
- Verify with your professor or institution's IT help desk
- Save phishing emails as PDF (using Convert: Anything to PDF) before reporting them to IT
Step 4: Document Your Breach Response
If you're a student affected, keep a record of:
- The breach notification you received from Canvas/Instructure or your institution
- Any privacy rights you've exercised (deletion, access requests)
- Communications with your institution's IT or privacy office
- Any identity protection services offered
If you later need to demonstrate that a particular phishing attack or identity issue traced back to this breach, having dated records helps.
Convert: Anything to PDF handles email notifications, screenshots, and Word documents — useful for assembling a single PDF folder of breach response actions.
What Instructors and Administrators Should Save
Faculty using Canvas have a different set of priorities:
Instructional materials:
- Original syllabi (not the Canvas-imported version)
- Assignment templates and rubrics
- Lecture materials
- Test banks (if maintained in Canvas)
Student communications:
- Any communications relating to academic integrity cases
- Office hours records
- Letters of recommendation correspondence
- Disability/accommodation communications
Grading records:
- Backed-up gradebook exports
- Grade dispute documentation
- Final grade rolls
Course management:
- Course settings configurations
- LTI integrations
- Third-party tool configurations
Many faculty have Canvas content that disappears or becomes hard to access when a course is archived. Saving as PDF or exporting through Canvas's official tools provides redundancy.
How Canvas's Native Export Compares to PDF
Canvas has built-in export options:
| Feature | Canvas Native Export | Convert: Web to PDF |
|---|---|---|
| Format | IMSCC (Common Cartridge) | |
| Easily readable | No (requires LMS) | Yes — any PDF reader |
| Preserves grades | Limited | Yes (visual capture) |
| Preserves comments | Yes | Yes (visual capture) |
| Long-term portability | Limited | Excellent |
| Speed | Slow for large courses | Page-by-page on demand |
| Privacy | Goes through Canvas | Stays local in browser |
The Canvas export is useful for course migration to another LMS. PDF is what you want for personal long-term archive — readable in 20 years without specialized software.
Best practice: do both. Use Canvas's official export for full course backup, and use Convert: Web to PDF for individual pages you specifically care about.
Privacy: Why Local-Only PDF Tools Matter for Academic Records
The 2026 wave of breaches (Vercel, Canvas, plus various PDF service breaches) has made clear: anything you upload to a free online tool is at risk.
Canvas data uploaded to a free online PDF converter is double-exposed:
- The Canvas breach already exposed some of your data
- The PDF converter may have its own data retention or breach risk
Local-only browser tools — operating entirely within your browser without uploading to any server — eliminate the second risk. Convert: Web to PDF and Convert: Anything to PDF are designed this way.
For sensitive academic records — grades, accommodation letters, academic integrity correspondence — local processing is the only acceptable approach.
Comparison: 2026 Education-Sector Breaches
| Breach | Affected | Date | Threat Actor | Sensitive Data |
|---|---|---|---|---|
| Canvas/Instructure | ~275M users | May 2026 | ShinyHunters | Names, emails, student IDs, messages |
| (Various K-12 vendors) | Multiple | 2024-2026 | Various | Records, sometimes SSN |
| (Various universities) | Various | Ongoing | Various | Mixed |
Canvas's scale stands out: 275 million users covers a significant fraction of all current and recent students and faculty in institutions that adopted Canvas globally.
Tracking Future Breach Updates
The investigation is ongoing. Updates over the coming weeks may clarify:
- Whether message contents (not just metadata) were exposed
- Whether grades were exposed
- What credit monitoring/identity protection institutions will offer
- Legal/regulatory consequences for Instructure
- Specific institutions whose data was disproportionately affected
Use ScrapeMaster to track breach update articles from breach intelligence sites (BreachSense, Have I Been Pwned, etc.) — building a structured CSV of "Date | Source | New Detail | Personal Action Needed" while you browse.
For long-form analyses of the breach (technical details, legal implications, institutional response), CineMan AI summarizes them in your browser.
Frequently asked questions
What data was exposed in the Canvas breach?
Reports indicate names, email addresses, student IDs, and user messages were exposed. The full scope is being investigated. Different institutions may have had different fields exposed depending on their Canvas configuration.
How many users were affected?
ShinyHunters claimed approximately 275 million users were affected across thousands of institutions. The exact number per institution varies; check with your school for institution-specific information.
Should I delete my Canvas data?
You generally can't delete your own Canvas data — it's owned by your institution and required for academic record-keeping. What you can do is save personal copies as PDF, then exercise data subject rights if applicable in your jurisdiction (e.g., Maryland's MODPA, California's CCPA) to limit additional processing.
How do I save Canvas pages as PDFs?
Use Convert: Web to PDF. Open the Canvas page you want to save, click the extension, and save the PDF locally. The extension processes the page in your browser without uploading content to any external server.
Is my professor's gradebook part of the breach?
Probably some metadata, but the full scope of grade exposure isn't yet confirmed. Save your visible grades as PDFs from your Canvas gradebook view as soon as possible.
Should I change my university password?
Yes, especially if you reuse it across systems. If your institution uses SSO for Canvas, change your university SSO password. Enable two-factor authentication if not already on.
What if I receive a phishing email referencing my courses?
Don't click any links. Verify with your professor or IT help desk through a known channel (their official email or office number). Save the phishing email as a PDF using Convert: Anything to PDF and report it to your IT department.
Can I sue Instructure?
Class actions are common after large breaches like this. Some affected users may be eligible to join a class action; watch for notifications from law firms or your institution. Whether to participate is your decision.
Does the Canvas breach affect K-12 students?
Many K-12 districts use Canvas. If your district uses Canvas, your data may be involved. K-12 student data is protected by FERPA and (under 13) COPPA — institutions and Instructure have legal obligations around this data.
How do I know if my specific account was affected?
Watch for breach notifications from your institution's IT/privacy office. Sites like Have I Been Pwned may list email addresses found in the breach data once made available. Don't enter your password into any "breach checker" — only your email address.
Bottom Line
The Canvas/Instructure breach affecting ~275 million users is one of the largest education-sector breaches in recent memory. If you're a student, instructor, or administrator using Canvas, three immediate actions matter:
- Save your coursework, grades, and key communications as PDFs. Use Convert: Web to PDF for Canvas pages — local processing, no upload, clean PDFs.
- Change passwords and enable two-factor authentication. Anywhere your Canvas password is reused, rotate it now.
- Watch for phishing for the next 90 days. Attackers know your school, courses, and contacts.
For mixed-format documents (emails, Word, screenshots) related to your breach response, Convert: Anything to PDF gives you a single PDF folder. For tracking the breach investigation as new details emerge, ScrapeMaster builds a structured timeline as you browse breach intelligence sites. And to digest the long-form coverage of the incident's broader implications, CineMan AI summarizes articles in your browser.