Canvas LMS Data Breach: ShinyHunters Exposes 275M Students

A ransomware group (a type of cybercriminal organization that steals data and threatens to publish it unless a ransom is paid) called ShinyHunters has claimed to have breached Canvas LMS — the learning management system (a digital platform schools and universities use to manage courses, grades, and private student communications) used by hundreds of millions of students worldwide. The stolen dataset reportedly covers over 275 million individuals, along with what ShinyHunters describes as "billions of messages." If confirmed, this is the largest student data privacy breach in recorded history — and the stolen content goes far beyond transcripts and test scores.

The investigation was first reported by 404 Media, a journalist-owned independent newsroom launched in late 2023 that reached profitability in just 6 months. While most media startups burn VC (venture capital — outside investor funding that often comes with editorial tradeoffs) cash for years, 404 Media runs entirely on reader subscriptions and broke even before most new publications finish their seed round.

What the Canvas LMS Data Breach Exposed: Stolen Student Records

Canvas is not a simple homework portal. For tens of millions of students worldwide, it is the primary channel for communicating sensitive — sometimes life-defining — personal information to educators and institutions. That is what makes this breach categorically different from a typical account database leak.

Ian Linkletter, a digital librarian with 20 years of EdTech (educational technology — the broad field of software tools built specifically for school and university use) experience, described the gravity of the exposure to 404 Media:

"Students are telling you that people died to explain absences. There's personal circumstances, medical circumstances, accessibility accommodations, disputes, sexual assault allegations — all sorts of stuff would be getting reported to the instructor using Canvas. If that information is out across hundreds of millions of people, there's a lot of harm that's going to happen."

Linkletter called it "the biggest student data privacy disaster in history" and identified the structural cause: what he described as "all-eggs-in-one basket faith in a U.S. tech company." This is the centralization risk (the systemic danger created when all critical institutional data flows through a single commercial platform with one point of failure) that data privacy researchers have warned about for years — now realized at its worst scale.

Based on 404 Media's reporting, the exfiltration (unauthorized mass theft of data from a target system) covers:

• Private messages between students and instructors — including sexual assault disclosures, mental health crises, medical condition documentation, and personal circumstances shared to request accommodations or explain absences
• "Billions of messages" — ShinyHunters' own claimed figure for the total communications volume stolen, spanning years of institutional use
• 275+ million individual profiles — students, educators, and administrators at institutions across multiple countries
• Accessibility and disability documentation — sensitive formal records submitted under FERPA (the Family Educational Rights and Privacy Act — the U.S. federal law protecting student education records from unauthorized disclosure)
• Academic records — course submissions, grades, evaluations, and institutional assessments

ShinyHunters: The Ransomware Group Behind the Canvas LMS Breach

ShinyHunters is a well-documented threat actor (a cybersecurity term for any individual or organized group that carries out deliberate attacks on systems or data) with a confirmed history of large-scale exfiltration operations. Previous verified targets include AT&T (73 million customer records), Santander Bank, and Ticketmaster. Their playbook is consistent: access the target database, extract the data, announce the breach publicly, and publish if a ransom is not paid.

The Canvas claim is their largest announced operation by individual count. At 275 million affected individuals spanning universities, community colleges, and K-12 systems in multiple countries, the scope extends beyond a perimeter breach of one company — it is a direct strike on the institutional trust layer (the assumption that sensitive communications shared within an educational system remain confidential) that students and educators depend on every day. The attack surface (the total number of entry points where unauthorized access could occur) was the sheer breadth of Canvas's centralized deployment.

The Newsroom That Broke the Story — and Why Its Existence Matters

404 Media was founded in late 2023 by four veteran tech journalists — Joseph Cox, Jason Koebler, Matthew Gault, and Emanuel Maiberg — all of whom left established publications to launch an independent, journalist-owned newsroom with no VC funding and no corporate ownership. Revenue comes entirely from reader subscriptions. It reached profitability within 6 months, a milestone documented by Nieman Lab as a landmark for independent tech journalism.

The Canvas breach coverage is consistent with 404 Media's focus on accountability stories that larger, advertising-dependent newsrooms structurally avoid. Other recent investigations from the same team:

• ICE smart glasses — U.S. Immigration and Customs Enforcement is reportedly developing wearable glasses with built-in real-time facial recognition (a biometric identification system that instantly matches a person's face against government databases), per 404 Media reporting
• Real-time deepfake scam software — Commercially available tools that overlay any person's face onto a live video call, enabling identity fraud at global scale. One 404 Media journalist who tested the software live wrote: "Oh my god. I yelled as I looked at my own face on someone else's body. It was all there: my five o'clock shadow, my goofy grin, even the bags under my eyes."
• Flock camera misuse — Automated license-plate-reading surveillance cameras marketed to residential communities found deployed inside facilities serving children
• Meta throttling its own critics — 404 Media documented that Meta (Facebook and Instagram's parent company) algorithmically suppressed the outlet's investigative stories about drug advertisements appearing on Instagram. That story earned 174 points and 95 comments on Hacker News before platform filtering further reduced its visibility

404 Media recently announced a distribution partnership with Wired, extending reach without changing ownership structure. Their RSS feed (a standardized web format that delivers new articles directly to a reader app, bypassing social media algorithmic filtering entirely) is the most reliable way to follow ongoing breach coverage:

https://www.404media.co/rss/

Add this URL to any RSS reader — Feedly, Inoreader, or NewsBlur — by pasting it into the "Add Feed" dialog. You get each new investigation directly, without depending on any platform's algorithm to surface it.

What Educators and Students Must Do After the Canvas Data Breach

Treat all private Canvas messages as potentially compromised — regardless of when they were sent. ShinyHunters has not confirmed the timeline of their access, meaning years of historical messages are at risk, not just recent communications.

For administrators and IT teams: Audit what sensitive data your institution stores in Canvas private messaging. Notify students and faculty that a breach claim exists and advise against sending sensitive personal information through Canvas until Canvas's official breach response is issued and the full scope is verified.

For educators: Redirect Title IX reports (matters covered under the U.S. federal law requiring schools to address gender discrimination, harassment, and assault, with a designated institutional office for reporting), mental health crisis disclosures, and medical accommodation requests to your institution's dedicated, encrypted reporting systems. Do not use Canvas messaging for anything you would not write in a public email.

For students: If you have disclosed personal circumstances, medical conditions, sexual assault incidents, or other sensitive information via Canvas private messages, contact the relevant institutional office so they can document the potential exposure and take protective action on your behalf.

Watch 404 Media and subscribe to their RSS feed for verified updates as this investigation develops. To learn how AI-powered monitoring tools can help track data breach developments and automate security alerts, explore our AI automation guides.

Related Content — Get Started | Guides | More News