Your Email Was in the Canvas Breach. Now Stop the Spam.
TL;DR - A criminal group called ShinyHunters stole the data of around 275 million Canvas users, including names, email addresses, student ID numbers and private messages, from more than 8,800 schools and universities. Canvas's owner, Instructure, paid the ransom, and the criminals "returned" the data. That sounds like a happy ending. It is not one. A criminal's promise is not a delete key, and your email address is now a known, working address tied to a real person at a real institution. That is gold for targeted phishing. What you need to do: treat every "Canvas" or "university" email as suspect, change any reused passwords and switch on two-factor authentication, and from now on hand out a unique email alias instead of your real address so the next breach contains itself.
The Canvas Breach By The Numbers
| What | Figure |
|---|---|
| People whose data was taken | Around 275 million |
| Schools and universities affected | More than 8,800 worldwide |
| Volume of data stolen | 3.65 terabytes |
| Information exposed | Names, email addresses, student ID numbers, private messages |
| The ransom | Paid by Instructure; the criminals "returned" the data |
| Countries hit | US, UK, Canada, Australia, New Zealand and parts of Europe |
I read a lot of breach reports. Most of them are dry: a company discloses, a number gets quoted, everyone moves on. The Canvas breach was the first one I can remember where the victims found out by trying to sit an exam.
In early May 2026, students at thousands of universities went to log into Canvas, the online classroom platform used for assignments, grades and messaging, and found a ransom note where the login page should be. Some of them were in the middle of finals.
The outage made the news. Canvas came back online, exams went ahead, and the headlines moved on. But the part that matters for you did not get fixed when the site came back. The data that was taken is still gone. If you, or your kid, or anyone you know has used Canvas, your email address is now sitting in a criminal database.
This post is not about the outage. It is about what happens next, in your inbox, and the one habit that decides how badly the next breach hits you.
Let me walk you through what was actually taken, why "they paid the ransom" does not mean you are safe, and what to do this week.
What Actually Happened to Canvas
Plain version: Canvas is a learning management system, the website and app that millions of students use to see their courses, submit work, check grades and message teachers. It is run by a company called Instructure.
In early May 2026, a criminal group known as ShinyHunters broke in. Not once, but twice, about a week apart. They claimed to have taken 3.65 terabytes of data covering around 275 million users across more than 8,800 institutions worldwide, including universities here in Australia. Reporting has described it as the largest breach the education sector has ever had.
The stolen data included names, email addresses, student ID numbers and private messages between students and teachers. ShinyHunters set a deadline: pay, or the data gets published. Instructure paid. The criminals then said they had "returned" the data and promised they would not use it.
If that promise sounds reassuring, stay with me, because it is the most misunderstood part of this whole story.
Why "They Paid the Ransom" Does Not Make You Safe
Here is the uncomfortable truth: you cannot un-leak data.
When a criminal group "returns" stolen data after a ransom, what they hand back is the original copy. Nothing stops them keeping a second one. Nothing stops a member who has already drifted away from the group from quietly holding their own. A promise from an extortion gang is not a delete key, and treating it like one is how people lower their guard at exactly the wrong moment.
So assume the realistic outcome. Your email address, your name, and the fact that you are connected to a specific university are now known to criminals, and may be bought and sold for years.
That last part is what makes this breach personal. A loose email address on its own is low value. An email address attached to a real name, a real institution and a student ID is something else. It tells a scammer exactly who you are, and exactly which fake message you are most likely to believe.
A criminal's promise is not a delete key. Once your details are out, they are out. The only thing you control is what happens next.
What the Spam and Phishing Will Look Like
Generic spam is annoying. Targeted phishing is dangerous, and this breach hands criminals the ingredients for the targeted kind.
Expect, over the coming months, emails that:
- Pretend to be from your university or its IT department, asking you to "verify your account" or "restore access after the breach"
- Pretend to be from Canvas or Instructure, offering "breach compensation" or "free identity protection" if you just log in here
- Quote real details, your name, your institution, maybe your student ID, to sound legitimate
- Push urgency: a deadline, a locked account, a missed payment, a grade on hold
The cruel irony is that a breach like this one is followed by a wave of scams that use the breach itself as the hook. "Because of the recent Canvas incident, click here to secure your account." Do not.
The rule that survives all of it: never act on a link in an email. If a message claims to be from your university or Canvas, open a browser, type the address you already know, and log in there. A real problem will still be waiting for you. A fake one will not.
Tired of every signup ending up as spam?
That is the entire reason I built SecureAlias. You create a unique, disposable email address for every site you sign up to. When one leaks, you switch it off, and your real inbox never even knew.
Take a look at SecureAlias - simple email aliases for people who are done being on every spam list.
What To Do This Week
If you, or someone in your house, uses Canvas, work through this. None of it takes long.
-
Treat every "Canvas" and "university" email as suspect for a while. Do not click links in them. Go straight to the site yourself. This is the single highest-value habit right now.
-
Change your Canvas password, and anywhere you reused it. If the same password protects your email or your bank, change those too. Reused passwords are how one breach becomes five. A password manager makes every password unique without you having to memorise anything.
-
Switch on two-factor authentication everywhere it is offered, starting with your email account. Then a stolen password is not a stolen account.
-
Watch for scams that name you personally. The phishing that follows this breach will use real details. Specific does not mean genuine. If anything, a message that knows too much about you deserves more suspicion, not less. Here is why scammers seem to know who you are.
-
Stop handing out your real email address. This is the one that changes the future, and it gets its own section below.
The Habit That Contains the Next Breach
You cannot undo Canvas. But Canvas is not the last breach you will be caught in. It is just the biggest one this month. There will be another, and another. The question is never whether a service you use gets breached. It is what they are holding on you when it happens.
Here is the difference. When Canvas was breached, two kinds of people were affected:
- The ones who signed up with their real, everyday email address. That address is now in the leak, attached to their name, and there is nothing they can do about it.
- The ones who signed up with an email alias, a unique forwarding address created just for Canvas. Their real inbox was never exposed. If the alias starts attracting spam, they delete it, and the spam stops dead.
An alias is simple. It is a stand-in email address that forwards to your real inbox, like a PO box for email. You give the alias to the website, and the website never sees your real address. One alias per service. When one leaks, only that one is affected, and you can switch it off in seconds.
This is exactly what I built SecureAlias to do: create a fresh alias for every signup, so a breach at any one service can never reach your real inbox or your other accounts. If you would rather weigh up every option first, I have compared all of them, including Apple's Hide My Email, Proton Pass and custom domains, in this full guide to email aliases.
You cannot get ahead of the Canvas breach. You can absolutely get ahead of the next one.
Key Takeaways
- The Canvas breach is not "over". The site is back, but around 275 million email addresses are out, and a paid ransom does not bring them back.
- A criminal's promise is not a delete key. Assume the data is gone for good and plan around that, not around the hope it was deleted.
- The real danger is targeted phishing. Expect scam emails that quote your name, your university and your student ID to sound convincing. Specific is not the same as genuine.
- Never act on a link in a breach-related email. Open the site directly, every time.
- Change reused passwords and switch on two-factor authentication. Stop one breach from becoming five.
- Use an email alias for every signup from now on. It is the one habit that contains the next breach instead of letting it spread.
FAQ
Was my data in the Canvas breach?
If you have used Canvas at any point, assume yes. Around 275 million users across more than 8,800 institutions were affected, and individual notifications have been slow and patchy. It is safer to act as though you were included than to wait for a letter that may never arrive.
Instructure paid the ransom and got the data back. Doesn't that fix it?
No. Paying a ransom can reduce the chance of a public data dump, but it cannot guarantee that no copies were kept. Treat your email address and personal details as permanently exposed.
Should I stop using Canvas?
You probably can't, since it is your university's platform, and you do not need to. Keep using it, but change your password, switch on two-factor authentication, and be sceptical of any email about it.
I keep getting spam since the breach. How do I make it stop?
You cannot fully un-leak the address that was exposed. What you can do is stop new spam reaching what matters: move your important accounts onto fresh email aliases and retire the exposed address over time. The old inbox gets quieter as you migrate away from it.
What exactly is an email alias?
A stand-in email address that forwards to your real inbox. You give the alias to a website instead of your real address. If that website is breached, only the alias is exposed, and you can switch it off without affecting anything else you own.
Is my student ID number being leaked a big deal?
On its own, a student ID is low risk. It is not a financial number. The danger is that it makes phishing more convincing, because a scammer who can quote your student ID sounds like they really are from your university. Treat it as a reason to be more sceptical, not less.
My child is at university. What should I do?
Walk through the steps in this article with them. Students are the prime targets here. They receive a lot of genuine email from their institution, and they are busy and stressed around assessment time, which is exactly when a well-timed phishing email works.
My Take
What bothers me most about the Canvas breach is not the hack itself. Breaches happen. It is the shape of the reassurance afterwards. "The company paid, the data was returned, the matter is resolved." That framing protects the company's week. It does nothing for the 275 million people whose details were copied, and it quietly nudges all of them to relax at the exact moment they should be tightening up.
Students got the worst of this. They are a captive audience, because you cannot opt out of your university's platform, and they are the group with the least spare time and the least cynicism to bring to a well-built scam email. The platform let them down, the breach response let them down, and now the cleanup lands on them anyway.
So here is the mindset I would take from it. You will never control whether the companies holding your data get breached. They will. What you control is how much of yourself you handed them in the first place. A unique alias for every service is not paranoia. It is the digital version of not giving a stranger your home address just because they filled in a form and asked. Canvas is a hard lesson. Let it be the one that finally changes the habit.
Tired of every signup ending up as spam?
That is the entire reason I built SecureAlias. You create a unique, disposable email address for every site you sign up to. When one leaks, you switch it off, and your real inbox never even knew.
Take a look at SecureAlias - simple email aliases for people who are done being on every spam list.
Mathew Clark Founder, SecureInSeconds Currently: counting how many of my old accounts still use an email address I am never getting back.
Further Reading
- Canvas hack strands college students during finals week - CNN's report on the outage
- Instructure pays ransom to Canvas hackers - Inside Higher Ed on the ransom decision
- Instructure reaches ransom agreement with ShinyHunters - The Hacker News on the 3.65TB figure
- Email Aliases: The Spam-Blocking Hack Every Australian Needs in 2026 - the full how-to guide for setting aliases up
- Why Do Scammers Already Know My Personal Information? - how breached data turns into targeted scams
- Password Managers Compared - making every password unique so one breach cannot spread
- Personal cyber security guides - the Australian Cyber Security Centre's step-by-step guidance
