Canvas LMS data breach: what data was exposed, and what we still don’t know

That distinction matters. The types of data reportedly exposed are tied to Instructure’s own statements and consistent reporting. The overall scale — 3.65 TB, 275 million people and nearly 9,000 institutions — remains an attacker claim unless Instructure or independent investigators verify it .

What data is said to be involved

The data categories named so far are mainly identification and communication details. According to BleepingComputer, Instructure described the exposed information as names, email addresses, student ID numbers and messages among users . Other reports describe the same core set of information .

The publicly named categories are:

• Names of users
• Email addresses
• Student ID numbers
• Messages exchanged between Canvas users

What is not believed to be involved so far

SecurityPointBreak, citing Instructure, reports that the company has found no evidence so far that passwords, dates of birth, government identifiers or financial information were affected . Daily.dev gives a similar summary, saying passwords, financial data and government identifiers are not believed to be involved at this stage .

That is not the same as a final incident report. Instructure has framed its comments as part of an active investigation, and multiple reports note that the review is continuing .

How many users could be affected?

The 275 million figure is the most dramatic part of the story — and also the least settled. ShinyHunters claims it stole 3.65 TB of data and says the information could relate to roughly 275 million students, teachers and other staff across nearly 9,000 educational institutions .

For now, that should be treated as an unverified claim by the alleged attackers. SecurityWeek specifically reports that Instructure has not shared details on how many institutions or users were affected . Until the company or independent investigators confirm the scale, 275 million should not be treated as a reliable victim count.

Why this data can still be sensitive

Even without confirmed exposure of passwords or payment details, names, email addresses, student IDs and message content can still be useful to criminals. Email addresses provide a direct way to contact people. Student ID numbers can make a message appear tied to a real school or university account. User messages may contain context that makes phishing or impersonation attempts more convincing .

For Canvas users, the practical takeaway is to be cautious with unexpected emails, account-verification requests or messages that refer to a class, campus, school system or course context. It is safer to open Canvas through a trusted bookmark or the official address provided by your institution, rather than through links in unexpected messages.

What users should check now

If you use Canvas through a school, university or other organisation, watch for notices from that institution. The public claims do not, by themselves, prove that any individual account or specific institution was affected. Instructure’s confirmed language refers to users at affected institutions, while the broader numbers remain unconfirmed .

Sensible next steps include:

• Check messages from your school, university, employer or IT department.
• Do not respond to suspicious emails or Canvas-related messages through embedded links.
• If you receive an account-change request, go directly through your institution’s known login page.
• Prioritise changing your password if your institution tells you to do so, or if you reused the same password elsewhere; based on current public reporting, passwords have not been identified as exposed .

Bottom line

The available reporting supports that an Instructure/Canvas data incident exposed user information such as names, email addresses, student ID numbers and messages between users . What remains unconfirmed is the scale claimed by ShinyHunters: 3.65 TB of data, 275 million people and nearly 9,000 institutions . Until those figures are verified, they should be read as allegations — not as an official count of affected users.