Documenting breaches, demanding accountability.
Report what you know. Protect what matters.
Instructure / Canvas LMS
Parent company of Canvas — used by 8,809+ educational institutions worldwide
The criminal extortion group ShinyHunters claimed responsibility on May 3, 2026 for a massive breach of Instructure's Canvas Learning Management System — the platform used by millions of K-12 and higher education students across the United States and globally. The attackers exploited a vulnerability in Free-For-Teacher accounts to access 3.65 terabytes of data. The breach is considered the largest educational data security incident on record.
Exposed data includes names, email addresses, student ID numbers, and private messages exchanged between students and instructors. Instructure confirmed there is no evidence that passwords, financial data, or Social Security numbers were stolen. The ransom deadline passed May 12, 2026 with no public confirmation of payment.
Instructure took Canvas, Canvas Beta, and Canvas Test offline for investigation on May 7 and restored service May 8 after permanently shutting down the Free-For-Teacher account program.
Full RFA Coverage →Documented breaches from public sources. Record counts from verified reporting.
Ransomware — healthcare claims processing
Largest healthcare breach on record. Notification completed Oct 2025. Source: HHS OCR, HIPAA Journal.
Unauthorized access — K-12 student/teacher data
19-year-old perpetrator Matthew D. Lane pleaded guilty; sentenced to 9+ years federal prison. Source: BleepingComputer, WKBW.
Unauthorized access — two linked incidents
$177M settlement. Exposed SSNs, birthdates, call/text logs. Source: FCC settlement filings.
Cloud credential theft — ShinyHunters / UNC5537
1.3TB database. 160+ Snowflake customer environments accessed. Source: Live Nation SEC filing, Mandiant.
Unauthorized access — auto dealership data aggregator
Names, addresses, DOBs, SSNs. Broader NPD breach alleged 2.9B records by threat actors. Source: HIPAA Journal.
Unauthorized access — insurance policyholder data
Third-largest confirmed US breach of 2025. Notifications sent. Source: Privacy Rights Clearinghouse 2025 Annual Report.
Government services vendor — benefit administration
Texas-confirmed figure; national total unknown. Conduent provides payment and benefits tech to state governments. Source: ITRC 2025.
Fintech — peer-to-peer lending platform breach
Personal financial data exposed. Notifications completed per state law. Source: ITRC / Privacy Rights Clearinghouse.
Know about a data breach that hasn't been reported? Work at an organization that experienced a breach? Submit what you know. RFA editorial staff reviews every report.
Get real-time alerts when organizations you trust report a data breach — before the company issues a statement, before the news cycle moves on.