Logo
Insights Business| SaaS| Technology What We Know About the Canvas Breach
Business
|
SaaS
|
Technology
May 12, 2026

What We Know About the Canvas Breach

AUTHOR

James A. Wondrasek James A. Wondrasek
Graphic representation of the topic What We Know About the Canvas Breach

In late April 2026, a cybercriminal group called ShinyHunters walked out of Instructure‘s Canvas — the learning management system (LMS) that universities and schools use to deliver coursework, assignments, and grades — with what they claim is 3.65 terabytes of student and staff data from 8,809 educational institutions across 28 countries. When Instructure didn’t pay, ShinyHunters came back on 7 May — right in the middle of finals week — and took Canvas offline entirely. Canvas runs on roughly 41% of North American higher education.

This article is part of the Canvas breach cluster. It’s the foundational record: what happened, when, how ShinyHunters got in, what data was taken, and what’s still unresolved as of 12 May 2026.

One thing worth clearing up first: ShinyHunters runs a “pay or leak” data extortion model — they didn’t encrypt anything. If you came here via “Canvas ransomware,” the correct term is data extortion, and that distinction matters a lot for how institutions need to respond.

What Happened in the Canvas Data Breach of 2026?

There are really two separate incidents here. The April 25 data exfiltration and the May 7 defacement are distinct attacks — the first was a quiet data theft, the second was a very public demonstration that the first hadn’t actually been dealt with. ShinyHunters (full profile in ART002: ShinyHunters and the Education Extortion Playbook) is a financially motivated cybercriminal collective that’s been active since 2019–2020. Their playbook is simple: steal data at scale, set a deadline, and leak publicly if payment doesn’t come.

It’s worth being clear on one thing: the 275 million records and 3.65 TB figures are ShinyHunters’ own claims. Instructure has confirmed a breach occurred and that student data was accessed — but hasn’t confirmed the scale.

When Did the Canvas Breach Happen — What Is the Full Timeline?

Here’s how it played out, date by date:

  1. 25 April 2026 — Initial compromise via Free-For-Teacher account vulnerability (Halcyon)
  2. 29 April 2026 — Instructure identifies unauthorised access, revokes attacker credentials; FBI and CISA notified (ComplexDiscovery)
  3. 1 May 2026 — Instructure publicly discloses a cybersecurity incident; ShinyHunters publishes ransom claim and data samples on ransomware.live (Compass ITC)
  4. 2 May 2026 — CISO Steve Proud declares the incident “contained” (Compass ITC / KrebsOnSecurity)
  5. 3 May 2026 — Instructure issues full public confirmation of the breach (ComplexDiscovery)
  6. 6 May 2026 — Original deadline passes without payment; Instructure declares incident closed (Halcyon)
  7. 7 May 2026 — Second attack: defacement of approximately 330 institutional login pages; Canvas taken offline; ShinyHunters removes Instructure from ransomware.live (Halcyon / KrebsOnSecurity)
  8. 8 May 2026 — Canvas restored; Instructure permanently shuts down all Free-For-Teacher accounts and confirms FFT accounts as the attack vector (KrebsOnSecurity)
  9. 12 May 2026 — Final ShinyHunters deadline for individual institution negotiations (Halcyon)

The May 2 “containment” declaration is the detail that stings most. Steve Proud’s statement came three days before the missed deadline and five days before the recompromise. Dipan Mann of Cloudskope was blunt about it: the May 7 attack “is at least the third time in the past eight months that Instructure has been breached by ShinyHunters.”

How Did ShinyHunters Get Into Canvas — What Was the Free-For-Teacher Account Vulnerability?

Why a Free Educator Account Had Access to Student Data at Scale

Free-For-Teacher accounts were a no-cost Canvas tier for individual educators outside institutional licensing — a way for teachers to explore Canvas without needing to go through their institution. The architectural problem is what happened next.

These accounts were not sandboxed. They ran on Instructure’s production Canvas infrastructure — the same environment that holds data for paying institutional customers. When the verification gap between an FFT account and the production environment became an exploitation gap, the isolation model collapsed entirely. Instructure’s May 8 update confirmed it: “This is the same issue that led to the unauthorised access the prior week.” The vulnerability sat unpatched for 12 days between the two incidents.

The specific technical method — credential stuffing, social engineering, or a direct flaw in account provisioning — has not been confirmed by Instructure. What is confirmed: the attacker gained access to production data and achieved write access sufficient to deface login pages at approximately 330 institutions. The market concentration that makes this risk so acute is examined in ART003: One Platform, 8,809 Schools, and the LMS Concentration Risk.

What Data Was Stolen From Canvas — and What Has Instructure Confirmed?

Instructure-confirmed data types: student and staff names, email addresses, student ID numbers, and Canvas internal messages between users. No passwords, dates of birth, government identifiers, or financial information — Duke CISO Nick Tripp confirmed Instructure relayed this directly.

ShinyHunters’ additional claims (unconfirmed): several billion private messages, phone numbers, 44 Dutch institutions specifically named, and named institutions including Harvard, MIT, Stanford, Oxford, Cambridge, Duke, UC Berkeley, Penn State, and Rutgers.

The confirmed data is more than enough to cause serious harm downstream. Names, email addresses, student IDs, and Canvas message content together are sufficient to craft convincing spear-phishing emails that reference real courses and real conversations. And Canvas messages can include disability accommodation discussions, mental health conversations, and academic integrity concerns — content that is personally identifiable and potentially stigmatising.

The international scope — 28 countries, 44 Dutch institutions — signals GDPR supervisory notification obligations for European campuses. Full regulatory analysis, including FERPA and COPPA obligations, is covered in ART004: FERPA Wasn’t Built for This.

What Was the September 2025 University of Pennsylvania Breach — and Why Does It Matter?

The Penn incident became apparent on 31 October 2025 via spam emails from Penn’s Graduate School of Education. In February 2026, ShinyHunters told the Daily Pennsylvanian that Penn had failed to pay a $1 million ransom. On 5 March, ShinyHunters published 461 megabytes of stolen Penn data. The Instructure/Canvas mechanism wasn’t part of the story at that point.

Dipan Mann, publishing on 7 May, reframed everything: Penn was the named victim, Instructure was the mechanism. The September 2025 Penn breach was the proof of concept. The 1 May 2026 incident was the production run. The 7 May recompromise was ShinyHunters demonstrating publicly that the May 2 “containment” declaration was nonsense. Penn’s CISO Nick Falcone confirmed in a 7 May email that the issue “is not limited to Penn and is affecting multiple institutions who use Canvas.”

What had been treated as a local problem was always a platform problem. The three-phase attack pattern is analysed in ART002: ShinyHunters and the Education Extortion Playbook.

How Did Canvas Go Offline During Finals Week — What Happened on 7 May 2026?

By mid-day, students and faculty were flooding social media with reports that a ransom demand had replaced the Canvas login page. ShinyHunters directed individual institutions to negotiate directly via TOX — an encrypted peer-to-peer messaging platform — and a source confirmed to KrebsOnSecurity that a number of universities had already approached ShinyHunters about paying.

Instructure’s May 8 update clarified that “no further data was accessed on May 7” — the attack was login-page injection, not a second exfiltration. The timing was not accidental: 7 May is the peak of the Northern Hemisphere final examination period. Penn State announced all tests scheduled for Thursday evening and Friday were cancelled.

The full institutional crisis response is examined in ART005: Finals Suspended — Crisis Response When Your LMS Goes Dark.

Did Instructure Pay the Ransom — What Does the Silence Mean?

Here’s the ransom track: listed on ransomware.live 3 May; original deadline missed 6 May; listing removed 7 May after the second attack; final institutional deadline 12 May. In prior ShinyHunters campaigns — ADT, Salesforce (via Snowflake), Ticketmaster — removal from the data leak site preceded or coincided with payment confirmation. It is not proof of payment. Instructure’s silence is legally defensible: with FBI and CISA engaged, public statements about ransom negotiations can complicate proceedings.

This article cannot resolve the payment question. If payment status is confirmed before publication, this article, ART006, and the complete Canvas breach analysis will be updated.

What Should Your Institution Do If It Is on the Affected List?

Instructure has stated that affected organisations were notified directly by 6 May. Don’t rely on third-party lists. Absence of contact is not confirmation of safety. Here’s what to do now:

  1. Rotate all Canvas API keys, OAuth tokens, and SSO credentials. Re-authorise any LTI, OAuth, or SAML integrations if you haven’t already.
  2. Rotate student and staff account passwords.
  3. Issue an immediate phishing advisory. Names, emails, student IDs, and Canvas message content together are enough for convincing spear-phishing targeting real courses and real conversations.
  4. Review your Instructure contract for data processing terms, breach notification obligations, and indemnification clauses.
  5. Engage legal counsel regarding FERPA obligations, state student privacy law notification deadlines, and required attorney general filings.
  6. If European campuses are in scope, assess the GDPR 72-hour supervisory notification window from the point of awareness.
  7. Canvas-stored content now has an adversary copy — chain-of-custody implications for legal and eDiscovery processes.

For students: treat your Canvas-associated email as a confirmed phishing target.

Full FERPA and COPPA compliance obligations are covered in ART004: FERPA Wasn’t Built for This. Operational continuity guidance is in ART005: Finals Suspended — Crisis Response When Your LMS Goes Dark.

Frequently Asked Questions

Is the Canvas breach ransomware?

No. ShinyHunters uses data extortion — systems were not encrypted. Their model is “pay or leak”: exfiltrate data, publish a deadline, release it publicly if payment isn’t received. The May 7 defacement took Canvas offline via login-page injection, not system encryption. “Ransomware” is technically wrong for this incident.

Is my university on the list of affected institutions?

ShinyHunters published a list on ransomware.live, covered by KrebsOnSecurity. Instructure will notify affected institutions directly — the authoritative source is instructure.com/incident_update. Being on the list means your data was exfiltrated; it does not mean it has been publicly released, as of 12 May 2026.

Did Instructure pay the ransom to ShinyHunters?

Unknown as of 12 May 2026. ShinyHunters removed Instructure from ransomware.live on 7 May — a pattern that in prior campaigns preceded payment — but removal is not proof. This article will be updated if confirmed.

Why was Canvas down during finals week in May 2026?

ShinyHunters defaced approximately 330 Canvas login pages on 7 May using the same Free-For-Teacher vulnerability as the April 25 attack. Instructure called it “scheduled maintenance” — Dipan Mann of Cloudskope challenged this publicly. Canvas was restored on 8 May. Penn State confirmed finals were cancelled.

What is a “Free-For-Teacher” account and why did it matter?

FFT accounts were a no-cost Canvas tier for individual educators outside institutional licensing — provisioned in the same production environment as institutional student data, not a sandboxed tier. ShinyHunters exploited them on both 25 April and 7 May. Instructure shut them down permanently on 8 May 2026.

How many schools were affected by the Canvas breach?

ShinyHunters claims 8,809 institutions across 28 countries, including 44 Dutch institutions. Named institutions include Harvard, MIT, Stanford, Oxford, Cambridge, Duke, UC Berkeley, Penn State, and Rutgers. These are ShinyHunters’ claims — not confirmed by Instructure.

What data was stolen from Canvas?

Instructure-confirmed: student and staff names, email addresses, student ID numbers, and Canvas internal messages. No passwords, government identifiers, or financial information. ShinyHunters additionally claims several billion private messages and phone numbers — unconfirmed. K-12 data likely includes students under 13, triggering FERPA and COPPA obligations.

What is ShinyHunters and why did they target Canvas?

ShinyHunters is a financially motivated cybercriminal collective active since 2019–2020. Prior targets include ADT, Ticketmaster, Salesforce (via Snowflake), McGraw Hill, and Infinite Campus. Canvas’s 41% North American higher education market share made it a high-leverage target. Full profile: ShinyHunters and the Education Extortion Playbook.

Is my school’s data safe after the Instructure breach?

Treat your Canvas-associated email and student ID as potential phishing targets. Check instructure.com/incident_update for official updates. The stolen message content makes impersonation convincing — be alert to communications referencing specific courses or conversations.

What did ShinyHunters steal from Canvas?

ShinyHunters claims 275 million records totalling 3.65 TB — names, email addresses, student ID numbers, and internal messages — from 8,809 institutions across 28 countries. Instructure has confirmed a breach and that student data was accessed, but not the scale.

What is the September 2025 University of Pennsylvania connection to the Canvas breach?

In September 2025, ShinyHunters published thousands of internal Penn files using an Instructure/Canvas-mediated access path — treated as a Penn-specific breach at the time. Dipan Mann of Cloudskope later identified it as the proof-of-concept for the May 2026 campaign. This attack had been eight months in the making.

Status: Live as of 12 May 2026. This article will be updated when ransom payment status is confirmed. If your institution has been directly notified by Instructure, treat the data described here as confirmed compromised and follow the response steps above. For the full structural, regulatory, and strategic analysis, see the Canvas breach overview.

Official Instructure updates: instructure.com/incident_update

AUTHOR

James A. Wondrasek James A. Wondrasek

SHARE ARTICLE

Share
Copy Link
Copy Successfully

Related Articles

See more

How to recruit software developers in days instead of months

Blog

Sep 6, 2022

How a team extension can help your business achieve everything you want

Blog

Sep 24, 2021

These Are The Next Wave of Agentic Coding Tools

Product Development

Jun 11, 2025
See more

Need a reliable team to help achieve your software goals?

Drop us a line! We'd love to discuss your project.

GET IN TOUCH
Offices Dots
Offices

BUSINESS HOURS

Monday - Friday
9 AM - 9 PM (Sydney Time)
9 AM - 5 PM (Yogyakarta Time)

Monday - Friday
9 AM - 9 PM (Sydney Time)
9 AM - 5 PM (Yogyakarta Time)

Linkedin X-Thread Facebook Instagram
Sydney

SYDNEY

55 Pyrmont Bridge Road
Pyrmont, NSW, 2009
Australia

55 Pyrmont Bridge Road, Pyrmont, NSW, 2009, Australia

+61 2-8123-0997

Yogyakarta

YOGYAKARTA

Unit A & B
Jl. Prof. Herman Yohanes No.1125, Terban, Gondokusuman, Yogyakarta,
Daerah Istimewa Yogyakarta 55223
Indonesia

Unit A & B Jl. Prof. Herman Yohanes No.1125, Yogyakarta, Daerah Istimewa Yogyakarta 55223, Indonesia

+62 274-4539660
Bandung

BANDUNG

JL. Banda No. 30
Bandung 40115
Indonesia

JL. Banda No. 30, Bandung 40115, Indonesia

+62 858-6514-9577

Subscribe to our newsletter

© 2026 SoftwareSeni all rights reserved.

Privacy PolicyDisclaimerTerms & ConditionsSitemap