At Least 18 Class-Action Lawsuits Against Instructure After Being Hacked
May 11, 2026
IBL News | New York
At least 18 federal class-action lawsuits have been filed against Canvas LMS’s parent company, Utah-based Instructure, following last week’s data breach, while the company issued an apology after final exams at numerous universities were halted.
“Over the past few days, many of you dealt with real disruption. Stress on your teams. Missed moments in the classroom. Questions you couldn’t get answered. You deserved more consistent communication from us, and we didn’t deliver it. I’m sorry for that,” Instructure CEO Steve Daly wrote in a new post.
The hacking group behind the outage, ShinyHunters, also stole data on potentially tens of millions of students across nearly 9,000 schools.
The company’s ongoing investigation found that “usernames, email addresses, course names, enrollment information, and messages” were exposed. That’s slightly different from Instructure’s initial findings, which said that “names, email addresses, student ID numbers” had been affected. That said, usernames and email addresses can still expose a student’s full name.
Daly added: “We’re still validating all findings, but we want to be clear about what we understand was and wasn’t affected.”
Instructure’s CEO also revealed that hackers exploited a “vulnerability regarding support tickets in our Free for Teacher environment,” a service that enables teachers to use some Canvas services at no cost.
In response to the hack, Instructure has temporarily shut down the Free-for-Teacher service.
• The great 2026 Canvas-ocalypse by Bryan Alexander
• Instructure Is Risking the Trust That Built Canvas by Phil Hill
Discover more
IBL News is funded by the New York-based, family-owned company ibl.ai. Our stories adhere to the highest ethical standards in journalism and are available to news syndication agencies.
