Trend Micro Analysis Details Instructure Canvas Breach by SHADOW-AETHER-015, Warns of Spear-Phishing Wave
Trend Micro's analysis of the Instructure Canvas breach reveals 8,809 institutions affected across 50 countries, with the SHADOW-AETHER-015 group exploiting backend access to expose sensitive student data.
A detailed analysis from Trend Micro Research has shed new light on the massive Instructure Canvas breach, confirming that the SHADOW-AETHER-015 threat actor compromised the backend of the learning management system, exposing data from 8,809 customers across 50 countries. The breach, which occurred in May 2026, affects universities, K–12 school districts, and teaching hospitals globally, including eight Ivy League institutions. Trend Micro warns that the primary risk is not the initial data theft but the follow-on spear-phishing campaigns that will leverage the highly sensitive personal information stored within Canvas.
Canvas is the learning management system of choice for tens of millions of students and educators worldwide, used for distributing coursework, recording grades, managing API integrations, and facilitating private conversations between students and faculty. According to TrendAI Research, the leaked data includes institution names, customer accounts, and instances, with the full scope of accessed data still being established. The presence of development, UAT, and staging instances in the data points toward backend infrastructure access or a platform-level compromise, distinguishing this from a surface-level attack.
The breach is particularly serious because Canvas holds unusually sensitive personal information, including medical accommodation requests, personal circumstances shared with advisors, and private message histories. Trend Micro emphasizes that this data enables highly convincing follow-on attacks, as threat actors now potentially have real names, institutional email addresses, course context, and private message history, making it possible to craft phishing messages nearly indistinguishable from legitimate institutional communications. Additionally, API integrations amplify the impact, as Canvas connects to dozens of third-party applications via API keys, forcing institutions to re-authorize all external integrations during final exam periods.
Trend Micro's analysis reveals the geographic scale of the breach, with North America accounting for 94.9% of affected institutions (approximately 8,361), followed by Europe (196), Asia-Pacific (175), Latin America (55), and the Middle East & Africa (12). The United States alone accounts for 94.6% of affected institutions (8,335), with Australia (122), the United Kingdom (70), and Brazil (29) being the most significantly impacted countries outside North America. Confirmed figures include 2,514 higher education institutions, including all eight Ivy League universities, major state university systems, and internationally recognized institutions such as Oxford, Cambridge, NUS, and the University of Melbourne, as well as 1,616 K–12 school districts.
The report identifies SHADOW-AETHER-015 as a medium-to-high capability extortion group, noting their involvement in a 2025 compromise of Instructure's Salesforce environment, which resulted in millions of data records being compromised and leaked. Their documented approach is often to exploit a trusted third-party integration to reach a higher-value target. Trend Micro warns that institutions should expect spear-phishing campaigns using real institutional context, credential abuse attempts against institutional systems, and targeted social engineering of individuals whose sensitive personal disclosures were captured in Canvas messages.
Trend Micro provides practical guidance for security and IT teams, emphasizing that the weeks following a large-scale data exposure typically bring increased phishing and social engineering attacks. The analysis underscores that the breach is one of the most geographically widespread education sector exposures on record, with the downstream risk extending across K–12, higher education, and healthcare institutions. Institutions are advised to implement enhanced monitoring, re-authorize all external integrations, and prepare for targeted attacks leveraging the stolen context.