216.73.217.50

Technical Advisory: Breach of Instructure Canvas LMS

· Published 09/05/2026 11:15 · Modified 11/05/2026 09:56

Export JSON

Essential information

Published
09/05/2026 11:15
Modified
11/05/2026 09:56
Tags
2026-05-09 api compromise canvas lms credential-theft data breach education sector extortion phishing campaign social engineering
Related entities
2 observables, 1 intrusion sets (apt), 20 techniques (mitre), 4 others

Description

In early May 2026, Instructure confirmed a breach affecting its Canvas learning platform after detecting unauthorized activity on May 1. ShinyHunters exploited the Free-For-Teacher account program, compromising the Canvas platform directly and exposing names, email addresses, student IDs, and private messages. The exposure window ran from April 30 to May 7, 2026. ShinyHunters claims 3.6 TB of data covering approximately 275 million users across 9,000 schools globally, including institutions in the US, Australia, and EU. This represents ShinyHunters' second attack against Instructure in eight months. Instructure shut down the Free-For-Teacher program permanently, rotated API keys and privileged credentials, and engaged forensic investigators. The stolen data enables personalized phishing campaigns targeting students and faculty, with attackers potentially having write access sufficient to deface login pages at multiple institutions.

External references