The infamous hacking group ShinyHunters has struck again — this time targeting Instructure, the company behind Canvas Learning Management System (LMS), used by thousands of universities and schools worldwide. Instructure confirmed on May 11, 2026, that unauthorized access occurred on April 29, 2026, exposing student names, email addresses, student ID numbers, and some private messages exchanged between Canvas users across approximately 9,000 institutions globally.
How the Breach Unfolded
ShinyHunters exploited a critical architectural gap in Instructure’s Free-For-Teacher account program. This program allowed educators to create Canvas accounts without institutional verification, giving them access to Canvas features for classroom use. Crucially, these accounts operated on the same production Canvas infrastructure shared with paid institutional tenants — logically separated but backed by the same underlying systems.
An attacker using a compromised free account had access patterns indistinguishable from a legitimate teacher piloting Canvas before their school adopted the platform. Schools had no native way to identify which Free-For-Teacher accounts accessed their institutional Canvas tenant, whether through legitimate course integrations or malicious activity during the exposure window.
The exposure window ran from April 30 to May 8, 2026. During this period, the attacker gained unauthorized access to production Canvas data and potentially achieved write access sufficient to deface login pages at multiple institutions.
Scale of the Breach
ShinyHunters claims to have stolen 3.6 TB of data covering approximately 285 million users across 9,000 schools, though Instructure has not confirmed those figures. What the company officially confirmed includes:
- User names and email addresses
- Student ID numbers
- Some private messages exchanged between Canvas users
Instructure stated there is no evidence of exposure for passwords, dates of birth, government identifiers, or financial information. Named institutions confirmed to be affected include the University of Pennsylvania, Harvard, MIT, Oxford, Rutgers, the University of North Carolina system, multiple Missouri colleges, and educational organizations in Australia and the EU.
ShinyHunters’ Extortion Campaign
The group launched a public extortion campaign on May 3, 2026, setting an original ransom deadline of May 8, later extended to May 12, 2026. In response, Instructure took Canvas, Canvas Beta, and Canvas Test offline for investigation on May 8, restored service the following day, and permanently shut down the Free-For-Teacher account program as part of its remediation response.
This is not ShinyHunters’ first attack on Instructure. The group previously targeted the company in September 2024, using social engineering tactics to compromise Salesforce business systems — though that earlier attack did not touch any Canvas product data. The May 2026 incident represents a direct, more damaging assault on the Canvas platform itself.
The Downstream Phishing Risk
The risk from this breach extends well beyond the initial exposure window. Stolen Canvas data is particularly dangerous because it enables highly convincing spear phishing campaigns targeting students and faculty. An email referencing a specific Canvas course, quoting an actual private Canvas message, or including the recipient’s real student ID establishes false credibility that can fool even careful users.
The stolen dataset — combining institutional email addresses, student IDs, and private message content from named universities — represents high-quality material for multi-stage phishing attacks that generic credential theft campaigns simply cannot replicate.
What Affected Institutions Should Do Immediately
Instructure has recommended a set of urgent actions for affected schools and universities:
- Rotate all Canvas API credentials and integration tokens immediately
- Monitor for phishing emails appearing to originate from Canvas or institutional addresses
- Check Canvas login pages for any unauthorized modifications or defacements
- Review Canvas audit logs for accounts with external email addresses that accessed courses or messages during the April 30 – May 8 window
- Alert students, faculty, and staff to be highly vigilant about suspicious Canvas-themed emails
Bitdefender MDR customers whose institutions appeared on the ShinyHunters disclosure list were notified directly with recommended remediation steps. Monitoring continues for the full disclosure cycle in case additional Canvas data surfaces on threat actor channels or dark web marketplaces.
A Systemic Lesson for SaaS Providers
The Canvas breach highlights a systemic risk inherent in freemium or free-tier programs that share infrastructure with paid tenants. When open-access accounts exist on the same production environment as institutional data, the attack surface expands significantly. The elimination of the Free-For-Teacher program demonstrates that even well-intentioned access programs can introduce unacceptable risk when tenant isolation is imperfect.
Organizations offering SaaS platforms with free tiers should urgently audit whether free-tier accounts can access data belonging to paid institutional customers, and implement stronger verification and behavioral monitoring for non-institutional account holders.