Hackers have published a massive list of educational institutions allegedly affected by the growing Canvas LMS data breach, with names including Harvard University, MIT, Oxford University, and thousands of schools across multiple countries.
The leak is tied to the cybercrime group ShinyHunters, which claims to have breached systems connected to Canvas, the widely used learning management platform developed by Instructure. The attackers allege the incident affects nearly 9,000 institutions and up to 275 million individuals worldwide.
According to files published by the group, approximately 8,809 educational organizations appear on the leaked victim list. The institutions span at least 10 countries, with the majority located in the United States, followed by Australia, the United Kingdom, and parts of Europe.
Among the organizations allegedly impacted are globally recognized universities, including Harvard, Oxford, MIT, Princeton, and the University of Pennsylvania. The list also contains high schools, vocational institutions, and several corporate entities believed to use Canvas for employee training programs.
ShinyHunters claims the breach exposed large volumes of sensitive educational data, including names, email addresses, student ID numbers, and billions of private messages exchanged between students, teachers, and administrators through the platform.
Instructure has confirmed a cybersecurity incident involving Canvas, but has not verified the scale of the attackers’ claims. The company stated that exposed information may include identifying data and user communications, though it said there is currently no evidence that passwords, financial data, dates of birth, or government-issued identifiers were compromised.
The company also said it has revoked privileged credentials, rotated security keys, patched affected systems, and increased monitoring while working with external forensic specialists to investigate the incident.
The breach has triggered concern throughout the education sector because Canvas is one of the world’s most widely used learning management systems. More than 40% of colleges and universities reportedly rely on the platform for coursework, assignments, messaging, and digital classroom management.
Several universities and schools worldwide have already acknowledged receiving notifications connected to the incident. Educational institutions in Australia, Sweden, and other countries confirmed they are assessing potential exposure involving student and staff data.
Authorities and school administrators are particularly concerned about the possible exposure of private communications inside educational environments. Researchers warn that leaked conversations, email addresses, and institutional records could be exploited in phishing attacks, identity theft campaigns, or targeted social engineering operations.
The incident also highlights the growing cybersecurity risks facing educational institutions. Universities and schools have become increasingly attractive targets for cybercriminal groups because they store large amounts of personal data while often operating with fragmented IT environments and limited security resources.
ShinyHunters has emerged as one of the most active extortion-focused cybercrime groups in recent years, repeatedly targeting cloud services, SaaS providers, universities, and enterprise platforms. The group has previously been linked to breaches affecting Salesforce environments, telecommunications companies, financial institutions, and government agencies.
Researchers say the group frequently combines data theft with public extortion tactics, threatening to leak stolen information unless victims agree to negotiations. In many cases, attackers publish victim names or partial datasets to increase pressure and attract media attention.
The Canvas incident appears to fit that pattern. ShinyHunters has continued releasing additional information related to the breach, including lists of allegedly affected institutions, while warning organizations to contact the group before further data is leaked publicly.
Security analysts say the true scale of the breach remains unclear because independent verification of the attackers’ claims is still ongoing. However, if the numbers provided by ShinyHunters prove accurate, the incident could become one of the largest education-sector data breaches on record.