● New Filing Class Action

Student Data Breach · Filed May 6, 2026

Instructure Canvas Data Breach: Class Action Filed on Behalf of Students and Parents

No attorney-client relationship is formed by reading this page.

A federal class action complaint was filed on May 6, 2026 in the U.S. District Court for the District of Utah against Instructure, Inc., the company behind the Canvas learning management system used by tens of millions of American students. The lawsuit, brought by a parent on behalf of her 15-year-old child and a proposed nationwide class, alleges that a massive cybersecurity failure allowed criminal hackers to steal the personal information of approximately 275 million students, teachers, and school staff at nearly 9,000 educational institutions. Carey & Danis LLC is co-counsel for the plaintiff and proposed class.

Defendant

Instructure, Inc. (developer and operator of Canvas LMS)

What Was Exposed

Names, school email addresses, student ID numbers, and the contents of private messages between students and teachers

Case Status

Complaint Filed — Sarkis v. Instructure, Inc., No. 2:26-cv-00380-DBP (D. Utah)

Who May Have a Claim

Anyone in the U.S. — including children — whose information was stored in Canvas at an affected school

What Happened

According to the complaint, between roughly April 25 and April 30, 2026, an unauthorized criminal threat actor exploited a vulnerability in Instructure’s Canvas platform and removed approximately 3.65 terabytes of personal information from the company’s systems. The information allegedly stolen includes student names, school-issued email addresses, student identification numbers, and the contents of private communications sent through Canvas — including, the complaint alleges, billions of private messages between students and teachers and among students themselves.

Canvas is the dominant learning management system in the United States. The complaint states that Canvas is used by more than 40% of higher education institutions in North America and by thousands of K-12 school districts across the country. For most students at those schools, Canvas is not optional: it is the platform through which teachers deliver assignments, post grades, and communicate with students about their education.

On April 30, 2026, Instructure’s public status page reported disruptions to tools relying on its API keys. Within days, Instructure publicly acknowledged that it was the target of a cybersecurity incident and that it had retained outside forensic experts. On May 3, 2026, the criminal extortion group commonly known as “ShinyHunters” listed Instructure on its dark-web data leak site, claimed responsibility for the theft, and issued a public ransom demand. According to the complaint, ShinyHunters has since shared with security journalists a list of approximately 8,809 affected schools, colleges, and universities.

⚠ This Was Not the First Breach

The complaint alleges that the same threat actor — ShinyHunters — successfully breached Instructure’s Salesforce environment in September 2025. According to the complaint, that earlier incident put Instructure on direct notice that its security was inadequate and that it was specifically being targeted. Eight months later, the lawsuit alleges, the same group walked out with the records of 275 million users.

Why This Breach Is Different — Especially for Children

Most data breaches involve adult consumers and primarily expose financial information. The Canvas breach is different in two important ways, the complaint argues.

First, much of the stolen data belongs to minors. Identity thieves prize children’s information because minors typically have unused Social Security numbers and clean credit files. Compromised records can be exploited for years — often only discovered when the child reaches adulthood and applies for a credit card, student loan, or first job.

Second, the stolen messages may contain deeply personal information. Canvas’s inbox feature is where students discuss academic struggles, mental health concerns, accommodations, family circumstances, and other sensitive topics with teachers. The complaint alleges that disclosure of these communications to a criminal threat actor — and the threatened public release of that material — is itself a serious privacy injury, separate from any financial fraud risk.

The complaint also points out that data on the criminal market for personal information has long included children’s records, with comprehensive identity packages selling for prices that reflect their long-term value to fraudsters.

Who Is Affected

The lawsuit seeks to represent two groups:

Nationwide Class

All people residing in the United States whose private information was compromised in the Canvas data breach.

Minor Subclass

All people residing in the United States who, at the time of the breach, were under age 18 and whose private information was compromised — including children whose schools used Canvas.

According to the complaint, this includes students at thousands of K-12 districts and more than 40% of North American colleges and universities. If your child’s school used Canvas, or if you used Canvas as a college student, teacher, or school employee, you may be a class member.

Not sure whether your school used Canvas? Most schools that use Canvas integrate it into their primary class portal, often branded with the school’s name. If you logged into a system to view assignments, submit work, or message a teacher, there is a strong chance Canvas was the platform behind it.

What You May Be Entitled To

The complaint asks the court to award Class Members several forms of relief, including:

  • Compensation for time and out-of-pocket costs spent responding to the breach — placing fraud alerts, freezing credit, monitoring accounts, and dealing with any actual identity theft that follows.
  • Damages for lost privacy and the diminished value of stolen personal information.
  • Long-term credit and identity-theft monitoring services — the complaint requests at least ten years of monitoring for the Nationwide Class, and for the Minor Subclass, monitoring extending at least three years past the age of majority.
  • Court-ordered security improvements at Instructure, including independent security audits and individualized notice to every affected user.
  • Statutory and punitive damages where authorized by law.

The amount any individual Class Member could recover depends on factors including the type of harm experienced, applicable state laws, and the ultimate outcome of the case. Cases like this have resulted in significant settlements and court-ordered remedies in past student data breach matters.

Statute of Limitations Warning

⚠ Time-Sensitive: Deadlines Apply

Statutes of limitations vary by state and case type. State data breach notification laws and consumer protection statutes each have their own deadlines, and some can be triggered the moment you become aware that your information was compromised. Deadlines vary by state. Contact us immediately to find out how much time you have.

Carey & Danis offers a free, no-obligation case evaluation. There is no fee unless we win.

Frequently Asked Questions

Do I need to know for certain that my data was stolen to join the class?

No. Class actions like this one cover all people whose data was compromised, even if individual notification has not yet been received. According to the complaint, Instructure had not provided individualized notice to most affected users as of the filing date. If your school used Canvas during the period covered by the breach, you may be a class member.

My child is a minor. Can I file a claim on their behalf?

Yes. Parents and legal guardians can pursue claims on behalf of minor children. The named plaintiff in this case did exactly that — she filed on behalf of herself and her 15-year-old child. The lawsuit also includes a separate Minor Subclass to address harms specific to children, including the higher long-term identity-theft risk minors face.

What kind of information was stolen?

According to the complaint and Instructure’s own public statements, the stolen data includes names, email addresses, student identification numbers, and the contents of private messages sent through Canvas. The complaint alleges that these messages — totaling billions of communications — often contained sensitive discussions about academic struggles, mental health, family issues, and other personal matters between students and teachers.

Why does it matter that this is the second time this hacker group breached Instructure?

The complaint alleges that ShinyHunters — the same group behind the April 2026 breach — successfully attacked Instructure’s Salesforce systems in September 2025. According to the complaint, that earlier breach gave Instructure direct, advance warning that its security was inadequate and that this specific criminal group was targeting it. The lawsuit alleges that Instructure’s failure to fix the problems exposed by the earlier breach is a key reason the second, much larger breach was possible.

How much does it cost to talk to a lawyer about this?

Nothing. Carey & Danis handles class action and data breach cases on a contingency-fee basis, which means there is no upfront cost and no fee unless we recover money for you. Your initial consultation is completely free and confidential.

What should I do right now to protect myself or my child?

The Federal Trade Commission recommends that data breach victims place fraud alerts with the major credit bureaus, review their credit reports, consider freezing their credit, and watch carefully for suspicious emails or messages that appear to come from schools or teachers. For minor children, parents can contact the credit bureaus directly to check whether a credit file exists in the child’s name and request a freeze. You should also document the time you spend on these protective steps — that time may be compensable as part of your claim.

Will I have to go to court or testify?

In almost every class action, the vast majority of class members never appear in court or give testimony. The named plaintiff and class representatives carry that burden on behalf of everyone in the class. Most class members participate simply by submitting a claim form if and when a settlement or judgment is reached.

Why Carey & Danis

Carey & Danis represents plaintiffs in complex class action and mass tort litigation across the country, including data privacy and data breach cases. The firm is co-counsel for the plaintiff in Sarkis v. Instructure, Inc. and is actively investigating claims on behalf of additional students, parents, and school employees affected by the Canvas breach. Carey & Danis has recovered hundreds of millions of dollars for clients nationwide in consumer protection, privacy, and product liability cases. There is no fee unless we win.

Source: Sarkis v. Instructure, Inc., No. 2:26-cv-00380-DBP, Class Action Complaint filed in the U.S. District Court for the District of Utah on May 6, 2026. This post is based on publicly available information and the allegations in the filed complaint. The allegations have not been proven in court.

Find Out If You or Your Child Have a Case — Free Consultation

Our attorneys are actively investigating the Instructure Canvas data breach. If you, your child, or someone in your family used Canvas at a school that was affected — or if you simply want to find out — tell us about your situation and we will review your potential claim at no charge.

No Fee Unless We Win. Your consultation is completely free and confidential. Carey & Danis has recovered hundreds of millions of dollars for clients nationwide.

    YesNoNot sure

    YesNoMultiple users — both adults and minors

    By submitting this form, you agree to be contacted by Carey & Danis LLC regarding your potential claim. No attorney-client relationship is created by submitting this form. There is no fee unless we win your case.

    This form uses Akismet to reduce spam. Learn how your data is processed.