Canvas Breach Disrupts Schools & Colleges Nationwide

Source: Krebs on Security

Instructure’s Initial Response

• Instructure (NYSE: INST) disabled the platform after the defacement.
• Earlier in the week the company acknowledged a data breach after the cyber‑crime group ShinyHunters claimed responsibility and warned it would leak data on tens of millions of students and faculty unless a ransom was paid.
• The original payment deadline was May 6, later pushed back to May 12.

Statement on Stolen Data (May 6)

In a statement on May 6, Instructure said the investigation so far shows the stolen information includes “certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users.”
The company found no evidence that the breached data included more sensitive information such as passwords, dates of birth, government identifiers, or financial information.

• The May 6 update also noted that Canvas was fully operational and that Instructure was not seeing any ongoing unauthorized activity.
• “At this stage, we believe the incident has been contained,” the company wrote.

Renewed Attack (May 7)

By mid‑day on Thursday, May 7, students and faculty at dozens of schools and universities reported that a ransom demand from ShinyHunters had replaced the usual Canvas login page. In response, Instructure:

1. Pulled Canvas offline.

2. Replaced the portal with the message:

   “Canvas is currently undergoing scheduled maintenance. Check back soon.”

3. Updated its status page with:

   “We anticipate being up soon, and will provide updates as soon as possible.”
   (Status page link)

Extortion Message Shown to Users

“ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some ‘security patches.’”

The message advised affected schools to negotiate their own ransom payments to prevent publication of their data, regardless of whether Instructure decides to pay.

Additional Context & Commentary

• Data content: ShinyHunters claims the stolen data includes several billion private messages, plus names, phone numbers, and email addresses.
• Timing: Many affected institutions are in the middle of final exams, making a prolonged outage especially damaging.
• Victim negotiations: A source close to the investigation (who was not authorized to speak to the press) told KrebsOnSecurity that several universities have already approached ShinyHunters about paying. The same source noted that the ShinyHunters leak blog no longer lists Instructure among its current extortion victims and that the sample data from Canvas customers has been removed—typical behavior after a payment or negotiation.

Industry Reaction

Dipan Mann, founder and CEO of the security firm Cloudskope, criticized Instructure for labeling today’s outage as “scheduled maintenance” on its status page.

• Mann highlighted that ShinyHunters first demonstrated a breach on May 1, prompting Instructure’s CISO Steve Proud to declare the incident contained the next day.
• He added that today’s attack is at least the third time in the past eight months that Instructure has been breached by ShinyHunters.

Historical Breach (September 2025)

In a blog post, Mann noted that in September 2025 ShinyHunters released thousands of internal University of Pennsylvania files (donor records, internal memos, etc.) via a Canvas/Instructure‑mediated access path.

“Penn was the named victim. Instructure was the mechanism. The incident was treated as a Penn‑specific story by most of the national press and quietly handled by Instructure as a customer‑specific matter. That framing was wrong then. It is dramatically more wrong in light of the May 2026 events, which now look like the planned escalation of an attack pattern that ShinyHunters had been working against Instructure’s environment for at least eight months prior. The September 2025 Penn breach was the proof of concept. The May 1, 2026 incident was the production run. The May 7, 2026 recompromise was ShinyHunters demonstrating publicly that the May 2 ‘containment’ did not happen.”
—Mann’s blog post

Prior Penn Ransom Demand

• In February, a ShinyHunters spokesperson told The Daily Pennsylvanian that Penn failed to pay a $1 million ransom demand.
• On March 5, ShinyHunters published 461 MB of stolen Penn data, including donor records and internal memos.

About ShinyHunters

ShinyHunters is a pro‑extortion group that typically removes victims from its leak sites only after receiving payment or after a victim agrees to negotiate. Their activities have repeatedly targeted Instructure’s Canvas platform, creating a pattern of breach, containment claims, and subsequent recompromise.

ShinyHunters Extortion Campaigns

A prolific and fluid cyber‑criminal group that specializes in data theft and extortion. They typically gain access to companies through voice‑phishing and social‑engineering attacks that often involve impersonating IT personnel or other trusted members of a targeted organization.

• Last month, ShinyHunters relieved the home‑security giant ADT of personal information on 5.5 million customers. The extortion group told BleepingComputer they breached the company by compromising an employee’s Okta single‑sign‑on account in a voice‑phishing attack that enabled access to ADT’s Salesforce instance.
• BleepingComputer says ShinyHunters has recently taken credit for a number of extortion attacks against high‑profile organizations, including Medtronic, Rockstar Games, McGraw Hill, 7‑Eleven, and the cruise‑line operator Carnival.

The attack on Canvas customers is just one of several major cyber‑crime campaigns being launched by ShinyHunters at the moment, said Charles Carmakal, chief technology officer at the Google‑owned Mandiant Consulting. Carmakal declined to comment specifically on the Canvas breach, but said:

“There are multiple concurrent and discreet ShinyHunters intrusion and extortion campaigns happening right now.”

Cloudskope’s Mann said what happens next depends largely on whether Instructure’s customers — the universities, K‑12 districts, and education ministries paying for Canvas — choose to apply pressure or absorb the breach quietly.

“The history of education‑vendor incidents suggests the path of least resistance is the second one,” he concluded.