Data Stolen in Canvas Hack - Here's What to Do Right Now.
Data Has Been Stolen in Canvas Hack - Here's What to Do Right Now.
A step-by-step guide for Hampton Roads students, staff, and families affected by the Instructure cyberattack.
What happened: In early May 2026, the criminal hacking group ShinyHunters breached Instructure, the parent company of Canvas — the online learning platform used by millions of students across Hampton Roads and nationwide. The group claims to have stolen roughly 275 million records, including names, email addresses, student ID numbers, and private messages. Multiple Hampton Roads school divisions, colleges, and universities were affected.
Canvas is back online, but the work isn't over for the tens of millions of students, teachers, and staff whose information may now be in the wrong hands. Here are the concrete steps you should take to protect yourself — starting today.
Immediate action
Change your Canvas password — and every account that shares it
While Instructure says there is no evidence passwords were directly stolen, your Canvas login credentials may still be at risk. Change your Canvas password immediately, and do not stop there.
If you have used the same password on any other account — email, social media, banking, Netflix — change those too. Password reuse is one of the most dangerous habits in digital life. A hacker who gets your credentials from one breach will try them on dozens of other services automatically.
Best practice: Use a unique, strong password (12+ characters, mixing letters, numbers, and symbols) for every account. A password manager like Bitwarden (free) or 1Password makes this manageable without having to memorize everything.
Change Canvas / school login password now
Change any accounts that share the same password
Enable two-factor authentication (2FA) on every important account
Download a free password manager and start using it
Report immediately
Report any phishing emails, calls, or texts the moment you see them
With your name, email address, and student ID now potentially in the hands of criminals, expect a surge in phishing attempts. These will look convincing — messages pretending to be from your school, from Canvas, from the FBI, or even from financial institutions.
Do not click any links or open attachments in suspicious messages. Do not call back numbers you don't recognize. And do not provide personal information to anyone who contacts you unsolicited.
Red flags to watch for: Urgent requests for passwords or payment, messages with misspelled school names, calls claiming you owe money or face legal action, texts asking you to "verify" your account via a link.
Report phishing immediately through these channels:
Forward phishing emails to your school's IT department
Report phishing emails to the FTC at reportfraud.ftc.gov
File a report with the FBI's Internet Crime Complaint Center at ic3.gov
"A breach doesn't end when the platform comes back online. It begins."
Ongoing protection
Educate yourself on online safety and how to recognize scams
The most powerful long-term protection isn't a software tool — it's awareness. Cybercriminals rely on people acting without thinking. Taking time to understand how scams work dramatically reduces your risk.
Visit consumer.ftc.gov/scams to learn about the latest scam tactics
Watch CISA's free online safety tutorials at cisa.gov/be-cyber-smart
Talk to your children about not sharing passwords, even with friends
Learn to spot social engineering — scammers who pretend to be trusted figures
Set up Google Alerts for your name to monitor for identity misuse
For families: Talk with your student about what happened. Make it clear that school officials will never ask for a password via email or text. Practicing these conversations now builds habits that last a lifetime.
Adults 18+ — critical step
Freeze your credit at all three bureaus
If you are 18 or older, a credit freeze is one of the most effective steps you can take. While Instructure says financial information was not part of this breach, stolen personal identifiers — your name, email, and student ID — can be combined with other data hackers already hold to open fraudulent accounts in your name.
A credit freeze is free, does not affect your credit score, and takes only minutes per bureau. It prevents lenders from accessing your credit report, making it nearly impossible for someone to open new credit in your name.
How to freeze your credit — all three bureaus
Equifax: equifax.com/personal/credit-report-services | 1-800-685-1111
Experian: experian.com/freeze/center.html | 1-888-397-3742
TransUnion: transunion.com/credit-freeze | 1-888-909-8872
Freeze credit at Equifax, Experian, and TransUnion (all three required)
Save your PIN or password from each bureau securely
Set up free credit monitoring (Credit Karma, Experian free tier)
Review your credit reports for free at annualcreditreport.com
Parents: Consider freezing your minor child's credit too. Children's Social Security numbers are prime targets because they typically go unmonitored for years. Each bureau allows you to freeze a minor's credit using their SSN and a copy of their birth certificate.
Long-term vigilance
Stay diligent — the risk doesn't expire
Data from breaches doesn't disappear. It circulates on dark web markets for months or even years, resurfacing in new attacks. Staying alert is not a one-time task — it's an ongoing habit.
Check haveibeenpwned.com to see if your email has appeared in known breaches
Monitor your bank and card statements weekly for unfamiliar charges
Review your school's official communications for breach updates
Keep an eye on official updates from Instructure at status.instructure.com
Be especially cautious around tax season — stolen IDs are often used to file false returns
Watch for IRS tax fraud: File your taxes as early as possible next season. If your SSN has been compromised, someone may attempt to file a fraudulent return in your name before you do. The IRS Identity Protection PIN program can help — visit irs.gov/identity-theft-fraud-scams to enroll.
Stay informed — and stay safe
Instructure has said it is working with the FBI, CISA, and international law enforcement. A proposed class action lawsuit was filed in federal court on May 13, 2026. Check your school's official website for updates specific to your institution — and report any suspicious activity immediately to both your school's IT department and your local law enforcement.
