Technical Advisory: Breach of Instructure Canvas LMS
Essential information
- Published
- 09/05/2026 11:15
- Modified
- 11/05/2026 09:56
- Tags
- 2026-05-09 api compromise canvas lms credential-theft data breach education sector extortion phishing campaign social engineering
- Related entities
- 2 observables, 1 intrusion sets (apt), 20 techniques (mitre), 4 others
Description
In early May 2026, Instructure confirmed a breach affecting its Canvas learning platform after detecting unauthorized activity on May 1. ShinyHunters exploited the Free-For-Teacher account program, compromising the Canvas platform directly and exposing names, email addresses, student IDs, and private messages. The exposure window ran from April 30 to May 7, 2026. ShinyHunters claims 3.6 TB of data covering approximately 275 million users across 9,000 schools globally, including institutions in the US, Australia, and EU. This represents ShinyHunters' second attack against Instructure in eight months. Instructure shut down the Free-For-Teacher program permanently, rotated API keys and privileged credentials, and engaged forensic investigators. The stolen data enables personalized phishing campaigns targeting students and faculty, with attackers potentially having write access sufficient to deface login pages at multiple institutions.