Names
Student, teacher, staff, or user names may have been exposed.
Class Action Filed · W.D. Tex. · Students, Parents, Teachers, and Staff
Canvas Data Breach Class Action
On May 8, 2026, Hall Attorneys, P.C. filed a putative class action against Instructure, Inc., the operator of Canvas, alleging that a major cybersecurity incident and outage exposed names, email addresses, student ID numbers, and “messages among Canvas users,” while disrupting finals-week access to course materials, study materials, gradebooks, exam instructions, and online exams.
What happened in the Canvas lawsuit?
The complaint alleges that Instructure acknowledged unauthorized activity in Canvas and indicated that the data taken included names, email addresses, student ID numbers, and messages among Canvas users. The complaint further alleges that the unauthorized actor changed pages that appeared when some students and teachers were logged in through Canvas.
The complaint alleges Instructure's response included taking Canvas offline, revoking privileged credentials and access tokens, rotating certain internal keys, restricting token-creation pathways, adding monitoring, and hardening administrative-access and token-management workflows.
The plaintiff, proceeding as Jane Doe, is a Baylor University nursing student. According to the complaint, Canvas became unavailable while she was studying for a statistics exam, and her final scheduled for May 8, 2026 was postponed to May 14, 2026, disrupting her exam schedule, study schedule, move-out plans, travel plans, and academic preparation.
What information may have been exposed?
According to Instructure and notices from affected institutions, information potentially involved may include the categories below.
Email addresses
School, personal, or institutional email addresses may have been exposed.
Student ID numbers
Student identifiers may have been involved. Student IDs can be used in school systems, campus services, institutional communications, and account-recovery workflows.
Canvas messages and user communications
Messages exchanged within Canvas may have been involved. This is one of the most serious aspects of the incident because Canvas messages may contain private educational communications between students, teachers, faculty, counselors, school staff, and classmates.
Instructure has stated that, as of its current investigation, it has found no evidence that passwords, dates of birth, government identifiers, or financial information were involved. That assessment may change as the investigation continues.
Why the Canvas message breach matters
Many data breaches involve only names and emails. This incident may be different.
Canvas is not merely a homework website. For many schools, it is a core educational platform used for assignments, grades, course materials, class communications, extensions, teacher feedback, student concerns, and private messages.
The exposure of private educational communications can create risks beyond ordinary identity theft, including phishing, impersonation, embarrassment, harassment, extortion, reputational harm, and loss of privacy.
Was your school affected?
The complaint alleges the Canvas outage and breach affected universities across the country, including Baylor University in Waco, Texas. Baylor's public notices, quoted in the complaint, recognized that the nationwide Canvas outage was seriously disrupting students' preparation for final exams and that final exams originally scheduled for May 8 would be moved to May 14 and administered online.
You may be affected if your school, district, college, or university uses Canvas; you received a notice about a Canvas security incident; your child used Canvas for schoolwork or messages; you are a teacher, professor, administrator, staff member, or former student with a Canvas account; or your Canvas account contained messages, student records, course communications, or identifying information.
Even if your school has not yet confirmed impact, you should preserve any notice, email, screenshot, Canvas error, gradebook notice, exam-schedule change, or communication about the incident.
What should students, parents, teachers, and staff do now?
Step 1
Preserve all notices
Save any email, letter, school announcement, district alert, university notice, Canvas notice, or Instructure communication about the incident. Do not delete emails, even if they appear routine.
Step 2
Take screenshots
Screenshot any Canvas, school, district, or university alert page that mentions the incident. Include the date and the URL if possible.
Step 3
Do not paste sensitive Canvas messages into ordinary web forms
If your Canvas messages involved sensitive topics, preserve them, but do not paste highly private student-teacher messages into a public or unsecured form. Hall Attorneys can follow up if more detail is needed through an appropriate channel.
Step 4
Watch for phishing and impersonation
Be cautious of unexpected emails, texts, calls, or login prompts claiming to come from Canvas, Instructure, your school, your district, or a university IT office. Do not click unexpected links. Access Canvas and school portals directly through official school websites.
Step 5
Document suspicious activity
Keep a timeline of suspicious emails, password-reset attempts, impersonation attempts, account lockouts, or unusual messages that appear after the breach.
Step 6
Contact Hall Attorneys
Hall Attorneys is evaluating whether affected students, parents, teachers, staff, and other Canvas users may have claims.
Who should contact Hall Attorneys?
Parents and guardians
You may contact us if your child used Canvas, especially if your child's Canvas messages involved private, sensitive, disciplinary, disability, counseling, bullying, harassment, health, or family-related issues.
K-12 students
If you are a student, ask a parent or guardian to contact us. Do not send sensitive messages or documents without a parent or guardian.
College and university students
You may contact us if you used Canvas and received notice that your institution was affected, or if your Canvas messages involved sensitive academic, personal, disciplinary, health, disability, financial-aid, or harassment-related issues.
Teachers, faculty, and staff
You may contact us if your communications with students, parents, teachers, administrators, or colleagues may have been exposed.
Former students or former employees
You may still be affected if your old Canvas account or archived messages remained in Instructure's systems.
What the Canvas complaint alleges and seeks
- How the Canvas incident occurred
- Whether Canvas messages and educational communications were accessed or taken
- Whether affected users were notified promptly and accurately
- Whether reasonable security safeguards were used for student and teacher data
- Whether API keys, access tokens, privileged credentials, or integrations contributed to the incident
- Whether minors' educational records or private communications were exposed
- Whether students suffered academic disruption from delayed finals, missed access to study materials, travel disruption, move-out disruption, or grade impact
- Whether users have experienced phishing, impersonation, or other misuse
- Whether affected students, parents, teachers, and staff may be entitled to compensation or other relief
Why choose Hall Attorneys?
Hall Attorneys handles complex litigation and data-breach matters involving sensitive personal information, privacy failures, and high-stakes technology systems.
We move quickly, preserve evidence, and focus on the facts that matter: what information was exposed, why it was stored, how the incident happened, what warnings were missed, how victims were notified, and what harms followed.
This case is not about a routine account issue. It concerns educational privacy, student communications, finals-week access to school infrastructure, and the security of a platform that many students and teachers were required to use.
Contact Hall Attorneys
If you received a Canvas, Instructure, school-district, college, or university notice about this incident, or if your child used Canvas, contact Hall Attorneys.
You can also review Nicholas Hall's background or reach the firm through the contact page.
Important documents
- Press release: Hall Attorneys Files Class Action Against Instructure Over Canvas Data Breach and Disruptions During Finals
- Press release PDF: Download the release
- Filed complaint: The Canvas docket page is now available at hallattorneys.com/dockets/canvas.
Frequently asked questions
What is the Canvas data breach class action?
The Canvas data breach class action is a putative class action filed by Hall Attorneys on May 8, 2026 against Instructure, Inc., the operator of Canvas. The complaint alleges that a Canvas security failure exposed student information and messages among Canvas users while disrupting access to course materials during finals week.
Was Canvas hacked?
Instructure has confirmed a cybersecurity incident involving a criminal threat actor. The complaint alleges Instructure acknowledged unauthorized activity in Canvas, that some pages shown to logged-in Canvas users were changed by an unauthorized actor, and that Instructure responded by taking Canvas offline and hardening credentials, access tokens, keys, monitoring, and administrative access workflows.
What data was exposed in the Canvas breach?
According to Instructure, information potentially involved includes names, email addresses, student ID numbers, and messages among users. Instructure has stated that it has found no current evidence that passwords, dates of birth, government identifiers, or financial information were involved.
Were Canvas messages exposed?
Instructure has stated that messages among users may have been involved. This is important because Canvas messages can include private communications between students, teachers, faculty, staff, counselors, administrators, and classmates.
Was my child's Canvas information exposed?
Your child may be affected if their school or district uses Canvas and received notice from Instructure about the incident. Parents should preserve school notices, Canvas alerts, screenshots, and any related communications.
Should parents be concerned about Canvas messages?
Yes. Even if Social Security numbers or financial information were not involved, Canvas messages may contain private student-teacher communications, academic concerns, discipline issues, disability accommodations, counseling-related topics, bullying reports, harassment issues, or other sensitive information.
Did the breach involve passwords?
Instructure has stated that it has found no current evidence that passwords were involved. However, users should still watch for phishing emails and should avoid clicking unexpected links that claim to be from Canvas, Instructure, or school IT departments.
Did the breach involve Social Security numbers?
Instructure has stated that it has found no current evidence that government identifiers were involved. If that changes, affected institutions should provide additional notice.
Who is ShinyHunters?
ShinyHunters is a hacking and extortion group that public reporting has associated with the Canvas incident. The group reportedly claimed responsibility and alleged that the breach affected thousands of schools and hundreds of millions of people. Those numbers have not been confirmed by Instructure.
What should I do if I received a Canvas breach notice?
Preserve the notice, save related emails, take screenshots of any school or Canvas announcements, watch for phishing, and document suspicious activity. You may also contact Hall Attorneys to discuss whether you or your child may have a claim.
Can students file a class action over the Canvas data breach?
Hall Attorneys filed a putative class action on May 8, 2026. Students, parents, teachers, staff, and other affected users may have potential claims depending on what information was exposed, whether private messages were involved, what notice was provided, whether finals-week access was disrupted, and what harms occurred.
Should I send Hall Attorneys my Canvas messages?
Do not paste highly sensitive Canvas messages into an ordinary web form. You may tell us generally whether your messages involved sensitive topics, such as accommodations, discipline, counseling, bullying, harassment, health, family issues, or academic records. If more detail is needed, Hall Attorneys can follow up.
Is Hall Attorneys affiliated with Canvas or Instructure?
No. Hall Attorneys is not affiliated with Canvas, Instructure, Baylor University, or any school, district, college, or university. Hall Attorneys filed litigation on behalf of affected users.
Sources and updates
- Hall Attorneys Canvas press release announcing the May 8, 2026 class-action filing.
- Instructure status page for May 2026 security-incident updates about Canvas and other Instructure platforms.
- TechCrunch reporting on ShinyHunters claims, sample data, and unconfirmed scale allegations.
- UT Austin Canvas vendor security notice describing the incident as a vendor-level event that may impact multiple institutions.
- UC Berkeley Canvas/bCourses notice identifying names, emails, student ID numbers, and Canvas/bCourses messages as potentially involved.
Attorney Advertising
The information you provide will be used to evaluate your potential claim. Sending information does not create an attorney-client relationship. Do not send highly confidential information unless we specifically request it through a secure channel. This page is not affiliated with Canvas, Instructure, or any school, district, college, or university.