VYPR
breachPublished May 11, 2026· Updated May 17, 2026· 2 sources

Instructure Confirms Double Breach of Canvas Platform by ShinyHunters

Instructure has confirmed that the Canvas learning platform was breached twice by the ShinyHunters extortion group, leading to a global outage and a subsequent agreement to secure the destruction of stolen data.

Instructure, the parent company of the widely used online learning platform Canvas, has confirmed that it suffered two distinct security intrusions within a two-week period. The breaches, which occurred on April 29 and May 7, were orchestrated by the extortion group ShinyHunters. The attackers exploited a vulnerability within Instructure’s "Free-for-Teacher" learning system to gain unauthorized access to the platform The Register.

The technical mechanism involved the exploitation of a specific security flaw in the Free-for-Teacher environment, which allowed the threat actors to access sensitive user information. According to Instructure, the stolen data includes usernames, email addresses, course names, enrollment details, and internal messages. The company emphasized that "core learning data," such as actual course content, student submissions, and credentials, remained uncompromised The Register. During the second intrusion, the attackers defaced approximately 330 school login portals, prompting Instructure to take the platform offline and place it into maintenance mode to contain the threat The Register.

The impact of the breach was global, affecting nearly 9,000 schools and potentially exposing records belonging to 275 million students, teachers, and staff The Register. ShinyHunters claimed to have exfiltrated 3.65 TB of data, targeting prominent institutions including Harvard, Stanford, Columbia, Rutgers, and Georgetown The Register. The timing of the incident—which occurred during final exams and Advanced Placement testing—caused significant disruption, forcing universities to reschedule exams and scramble for alternative ways to manage grades and assignments The Register SecurityWeek.

In response to the crisis, Instructure temporarily disabled all Free-for-Teacher accounts, revoked compromised credentials and access tokens, rotated internal keys, and restricted future token creation pathways The Register. The company engaged CrowdStrike to conduct forensic analysis and notified both the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) The Register.

By May 11, Instructure announced that all Canvas environments were back online. In a significant development, the company disclosed that it had "reached an agreement with the unauthorized actor" and secured digital confirmation—in the form of "shred logs"—that the stolen data had been destroyed The Register. While Instructure did not explicitly use the term "ransom payment," the agreement ensures that no customers will be extorted, and the company advised individual institutions against attempting to negotiate with the threat actors directly The Register.

This incident marks the second time in less than a year that Instructure has faced a security breach, following a separate incident involving its Salesforce environment in September 2025 The Register. As educational institutions increasingly digitize sensitive records, they have become high-value targets for cybercriminals seeking to leverage the timing of academic cycles to maximize extortion pressure SecurityWeek. The resolution of this event highlights the ongoing tension between data security, operational continuity, and the complex decisions organizations face when confronted with large-scale extortion attempts.

Synthesized by Vypr AI