Instructure discloses cyber incident affecting Canvas services
Instructure, the U.S. education technology company behind the Canvas learning platform, disclosed that it recently suffered a cybersecurity incident involving a criminal threat actor and has engaged outside forensic experts to investigate the scope and impact. The company said it is still determining what systems or data were affected and has not yet confirmed whether service disruptions beginning May 1—including maintenance affecting Canvas Data 2, Canvas Beta, and tools dependent on API keys—are directly tied to the incident.
The disclosure comes as education technology providers face sustained targeting because they hold large volumes of student and teacher information. Reporting around the incident notes that Instructure had already disclosed a separate Salesforce-related breach in September 2025 linked to social engineering, while external leak-site style listings have also associated the company with ShinyHunters claims that remain unverified. The latest incident also follows other major school technology breaches, including PowerSchool and Infinite Campus, underscoring continued pressure on the sector.
How this story unfolded
51 events from the most recent confirmed update back to the earliest known activity.
LBUSD, Cal State Long Beach, and LBCC tied to Canvas disruption
Reporting said the Instructure/Canvas cyberattack disrupted access for Long Beach Unified School District, California State University Long Beach, and Long Beach City College, adding three newly disclosed educational institutions to the list of affected organizations. The reference said users encountered ransom-style messages attributed to ShinyHunters and that the outage affected grading, coursework, and communications.
FBI issues PSA warning on ShinyHunters extortion tactics
The FBI issued a Public Service Announcement warning that cybercriminal claims tied to incidents such as the Canvas attack may be exaggerated or fabricated to pressure victims into paying. The bureau advised victims not to engage with extortionists, to verify suspicious communications through trusted channels, preserve evidence, and report incidents to IC3.
Senate HELP Committee joins congressional scrutiny of Instructure
The Senate Committee on Health, Education, Labor, and Pensions sent a letter to Instructure CEO Steve Daly seeking answers about the repeated Canvas attacks, including whether a ransom was paid and whether the incidents were linked to the September 2025 Salesforce compromise. This expanded congressional scrutiny beyond the House Homeland Security Committee's earlier inquiry.
House lawmakers demand Instructure testify on Canvas breaches
U.S. House Homeland Security Committee lawmakers pressed Instructure to testify and answer questions about the two Canvas-related cyberattacks, including how the same vulnerability was allegedly exploited twice, what data was taken, how schools were notified, and whether the company coordinated adequately with CISA. The development marked an escalation from the committee's earlier inquiry into active congressional scrutiny of Instructure's incident response.
Instructure says it paid extortion demand to prevent Canvas data leak
Instructure disclosed that it reached an agreement with the extortion group tied to the Canvas breach, paid to stop publication of the stolen data, received the data back, and obtained digital confirmation that it was destroyed. The company also said affected customers would not face separate extortion attempts under the agreement.
ShinyHunters resets Canvas leak deadline to May 12
In reporting published May 12, ShinyHunters said schools affected by the Instructure/Canvas breach had until May 12, 2026 to negotiate directly before stolen data would be leaked. This updated the gang's extortion posture after the earlier defacement campaign had already threatened publication on the same date.
Report details XSS flaws used to hijack Canvas admin sessions
Reporting said the attackers exploited multiple cross-site scripting vulnerabilities in Canvas user-generated content features to hijack authenticated administrator sessions and carry out privileged actions. The technical details provided new insight into how the Free-for-Teacher compromise and subsequent May 7 defacement were executed.
ShinyHunters says its shinyhunte.rs domain was suspended
ShinyHunters claimed on May 11 that its clearnet domain, shinyhunte.rs, had been suspended and was no longer under the group's control, warning users not to trust it. The suspension prompted speculation about possible law enforcement action, although no official seizure was confirmed in the reference.
Australian cyber agencies coordinate Canvas breach response
Australia's National Office of Cyber Security and the Australian Signals Directorate said they were coordinating the response to the Instructure/Canvas incident and warned affected institutions not to pay ransom demands or engage with unsolicited extortion attempts. The move marked a formal Australian government response to the ShinyHunters-linked breach affecting schools and universities.
FBI acknowledges Canvas breach as House committee opens inquiry
U.S. authorities publicly engaged with the Instructure/Canvas incident, with the FBI saying it was aware of the compromise and the House Homeland Security Committee opening an inquiry. The development marked a federal response to the breach and disruption affecting educational institutions.
Birmingham, Oxford, Edinburgh, and Mississippi State report Canvas disruption
IT Pro reported that the Universities of Birmingham, Oxford, Edinburgh, and Mississippi State University were among institutions dealing with disruption from the Instructure/Canvas cyberattack during the exam period. This adds four newly disclosed institutions publicly tied to the broader incident across the UK and U.S.
Proposed class action lawsuit emerges over Canvas data breach
The reference says the 2026 Canvas data breach prompted a proposed class action lawsuit in the United States. This marks a new legal escalation beyond the previously documented institutional responses, extortion activity, and congressional scrutiny.
UMass Lowell, MIT, Northeastern, Emerson, and Wellesley tied to Canvas outage
CBS Boston reported that the Instructure/Canvas cyberattack disrupted academic operations at additional Massachusetts institutions, including UMass Lowell, MIT, Northeastern University, Emerson College, and Wellesley Public Schools. The outage during finals forced some schools to postpone exams or deadlines, while UMass Dartmouth was also affected but had already been captured in earlier reporting.
Dutch universities block Canvas after breach escalation
Dutch institutions including the University of Twente, Erasmus University Rotterdam, Fontys University of Applied Sciences, and Vrije Universiteit Amsterdam temporarily blocked Canvas in response to the ongoing Instructure/ShinyHunters incident, while Deltion later restored access after review. The schools said they were investigating potential impact, running crisis response measures, and warning users about phishing tied to the breach.
Howard County schools posts Canvas breach updates
Howard County Public School System published updates about the May 2026 Instructure/Canvas security breach, indicating the district was publicly responding to the incident and communicating impact or guidance to its community. This adds HCPSS as another newly disclosed educational institution tied to the broader breach.
University of Memphis posts notice on Canvas security incident
The University of Memphis published a notice about the May 2026 Instructure/Canvas security incident, indicating it was publicly responding to the vendor breach and communicating potential impact or guidance to its community. This adds the University of Memphis as another newly disclosed institution tied to the broader incident.
Instructure links May 7 attack to Free-For-Teacher vulnerability
Instructure said attackers breached its infrastructure a second time through an unspecified vulnerability in the Free-For-Teacher version of Canvas, leading to the May 7 defacement and disruption. The company said it temporarily took Canvas offline, shut down Free-For-Teacher accounts during containment, and had found no evidence of persistence, credential theft, or broader data theft from that disruption.
NUS, SIM, and ISCA named among Singapore institutions hit by Canvas breach
The Straits Times reported that the National University of Singapore, Singapore Institute of Management, and the Institute of Singapore Chartered Accountants were among organizations affected by the global Instructure/Canvas breach. Singapore's Cyber Security Agency said it was monitoring the incident and had contacted affected organizations to offer assistance and mitigation advice, while the institutions said core internal systems were largely unaffected and contingency measures were in place.
University of Illinois and UMass Dartmouth alter exams after Canvas disruption
The University of Illinois and the University of Massachusetts Dartmouth reported that the Canvas cyberattack disrupted coursework during finals, forcing postponements, rescheduling, or deadline extensions for exams and assignments. This adds two newly disclosed institutions with concrete academic impact from the broader Instructure incident.
OCAD, Mohawk, Ontario Tech, and Ivey named in Canvas breach
CBC reported that several Ontario institutions were impacted by the Instructure/Canvas cyber incident, including OCAD University, Mohawk College, Ontario Tech University, and Western University's Ivey Business School. This adds four newly disclosed Canadian institutions publicly tied to the broader breach; the University of Toronto had already been identified in earlier reporting.
Idaho State, Toronto, and Chicago report Canvas disruption
BBC reported that Idaho State University, the University of Toronto, and the University of Chicago publicly confirmed operational disruption from the Instructure/Canvas cyber incident. The report said the outage affected coursework and examinations as institutions warned students about prolonged access issues or took precautionary steps such as logging out or disabling access.
Queensland's QLearn reports disruption from Canvas cyber incident
ABC Australia reported that Queensland's QLearn platform, used across universities, TAFEs, and public schools, was disrupted as part of the broader Instructure/Canvas cyber incident. Officials and education providers said investigations were ongoing and warned users about phishing and scam risks tied to exposed contact information.
Instructure says Canvas mostly restored as schools report ongoing disruption
By late 2026-05-08, Instructure said Canvas had become available for most users following the widespread cyberattack, though some institutions continued reporting outages on Friday. The disruption affected schools internationally, including exam cancellations at Penn State University and service warnings from the University of Sydney.
Sacramento State reports ongoing Canvas disruption from cyberattack
CBS Sacramento reported that Sacramento State was among the institutions affected by the nationwide Instructure/Canvas cyberattack, with disruption continuing into Friday morning during the run-up to finals and graduation. Users saw a ShinyHunters ransom message threatening to leak stolen data unless Instructure paid by May 12, adding Sacramento State as a newly disclosed impacted university.
Duke, UCLA, and Nebraska reported among Canvas-affected institutions
Reuters, citing student newspaper reporting, said Duke University, UCLA, and the University of Nebraska were among institutions reporting impact from the Instructure/Canvas breach and related disruption. This adds three newly disclosed universities to the list of schools publicly tied to the incident.
University of Virginia posts notice on Canvas security incident
The University of Virginia published a notice about the May 2026 Instructure/Canvas cybersecurity incident, indicating it was publicly responding to the vendor breach and communicating potential impact or guidance to its community. This adds UVA as another newly disclosed institution tied to the incident.
Harvard, Columbia, and Georgetown warn students about Canvas breach
WIRED reported that Harvard, Columbia, and Georgetown warned students about the Instructure/Canvas security incident and its potential impact. This adds three newly disclosed institutions publicly responding to the breach, while Rutgers had already been identified in earlier reporting.
UBC and SFU acknowledge Canvas breach impact
The University of British Columbia and Simon Fraser University said the Instructure/Canvas cyber breach could affect their communities, with SFU warning that exposed data may include names, email addresses, student ID numbers, and user messages. UBC said it learned of the incident late Tuesday and advised users to log out of Canvas, change passwords if they had logged in that afternoon, and remain alert for phishing.
TasTAFE says Canvas breach affected Tasmania and involved ransom demand
ABC Australia reported that Tasmania was among the jurisdictions affected by the Instructure/Canvas breach, with TasTAFE investigating exposure and stating that the hackers were demanding a ransom. The article also said Australian education providers and authorities were assessing impact while the stolen Canvas data had not yet been publicly released at the time of reporting.
Pitt County Schools posts update on Canvas data breach
Pitt County Schools published an update regarding the Instructure/Canvas data breach, indicating the district was publicly responding to the incident and communicating potential impact or guidance to its community. This adds Pitt County Schools as another newly disclosed affected institution tied to the broader breach.
University of Utah responds to Canvas data breach
The University of Utah published a notice saying its UIT team was responding to the Instructure/Canvas security incident and communicating guidance or impact information to its community. This adds the University of Utah as another publicly disclosed institution tied to the broader breach.
Universities report widespread Canvas outage amid cyber incident
On 2026-05-07, universities across the U.S. reported outages affecting the Canvas learning platform during the ongoing Instructure cyber incident. Institutions including Stanford, Columbia, Princeton, and Boston College said they were experiencing disruption or warned students to watch for suspicious messages.
Canvas defacement campaign expands to about 330 institutions
BleepingComputer reported that ShinyHunters' extortion-related defacement spread to roughly 330 colleges and universities, appearing on Canvas login pages and in the Canvas app with a ransom deadline of May 12, 2026. The report also said Instructure took Canvas offline in response, marking a significant escalation in scope and operational impact.
ShinyHunters defaces Canvas login pages at three schools
TechCrunch observed defaced Canvas login pages at three schools displaying a message attributed to ShinyHunters, threatening to publish stolen data on May 12 unless Instructure negotiated a settlement. The defacement appeared linked to an injected HTML file, indicating a new extortion escalation beyond the previously disclosed data breach.
RMIT and UTS extend deadlines after Canvas disruption
The Guardian reported that Australia's RMIT University and the University of Technology Sydney were affected by the Instructure/Canvas incident and extended assignment deadlines in response. This adds two newly disclosed institutions with concrete academic impact from the broader breach and outage.
University of California posts UC-wide notice on Canvas breach
UCnet published a notice about the nationwide security breach involving Canvas, indicating the University of California system was publicly responding to the Instructure incident and assessing or communicating potential impact to its community. This adds the University of California as another newly disclosed institution tied to the breach.
University of Pennsylvania says Canvas breach affected over 300,000 users
The Daily Pennsylvanian reported that the University of Pennsylvania said more than 300,000 Penn users were affected by the Instructure/Canvas hack claimed by ShinyHunters. This adds Penn as a newly disclosed impacted institution and provides a specific user-impact estimate tied to the broader breach.
Baylor University says Instructure breach affects its community
Baylor University Information Technology Services published a notice stating that the Instructure data breach impacts U.S. universities, indicating Baylor was among the institutions affected or assessing impact from the Canvas incident. This adds Baylor as a newly disclosed institution publicly responding to the breach.
Texas Education Agency issues Canvas security incident guidance
The Texas Education Agency published a security advisory for Canvas users in response to the Instructure incident, providing guidance and public communication about the breach's potential impact. This adds TEA as another publicly disclosed education-sector entity responding to the Canvas incident.
St. Petersburg College posts notice on Instructure cyber incident
St. Petersburg College published a notice about the Instructure cybersecurity incident, indicating the college was monitoring or responding to the Canvas-related breach and its potential impact on the institution. This adds St. Petersburg College as another publicly disclosed affected institution tied to the incident.
Colorado Boulder, Rutgers, and Tilburg acknowledge Canvas incident
Several universities, including the University of Colorado Boulder, Rutgers, and Tilburg University, issued statements acknowledging the broader Instructure/Canvas security incident or said they were still assessing whether their data was affected. This added newly disclosed institutions publicly responding to the breach's potential impact.
ShinyHunters shares sample Instructure data with TechCrunch
TechCrunch reported that ShinyHunters shared sample data allegedly stolen from Instructure, tied to two U.S. schools in Massachusetts and Tennessee, appearing to validate part of the gang’s breach claims. The broader victim-count claims remained unverified.
UT Austin posts notice on Canvas vendor security incident
The University of Texas at Austin published a notice about the May 2026 Canvas vendor security incident, indicating it was publicly responding to the Instructure breach and assessing or communicating potential impact to its community. This adds UT Austin as another newly disclosed institution tied to the incident.
UMass Amherst issues Canvas security incident monitoring update
UMass Amherst Information Technology published an update saying it was monitoring the Instructure/Canvas security incident and providing Canvas-related status information. This represents a newly disclosed institution publicly responding to the breach's potential impact.
Wayzata Public Schools warns parents about Canvas breach impact
Wayzata Public Schools sent warning letters to parents about the Canvas/Instructure data breach, indicating the incident affected data tied to the district. This represents a newly disclosed affected institution responding directly to the breach.
Instructure confirms data exposure and details remediation steps
Instructure said the 2026 cyber incident exposed certain user data, including names, email addresses, student ID numbers, and user messages at affected institutions, while reporting no evidence that passwords, dates of birth, government identifiers, or financial data were involved. The company said it engaged third-party cybersecurity experts and law enforcement, deployed patches, increased monitoring, rotated application keys, and required customers to re-authorize API access.
Instructure discloses new cyber incident and starts forensic probe
Instructure disclosed that it recently experienced a cybersecurity incident caused by a criminal threat actor. The company said it engaged outside forensic experts, began investigating the scope and impact, and would share more information as the investigation progresses.
Instructure says some Canvas services entered maintenance
Beginning May 1, Instructure customers were told that services including Canvas Data 2 and Canvas Beta were under maintenance, and that tools relying on API keys might experience issues. The company did not confirm whether this maintenance was connected to the cyber incident.
Instructure says it discovered the breach on April 29
Instructure said the breach underlying the Canvas incident was discovered on April 29, 2026, before its public disclosure. The company later linked the May 7 defacement disruption to this earlier compromise.
ShinyHunters leak-site listing names Instructure as a victim
A ransomware/leak-site style listing attributed an Instructure incident to ShinyHunters and claimed broad compromise metrics, including compromised employees and users. The listing said the attack was discovered on October 3, 2025, though the claims were not independently verified in the reference material.
Instructure discloses Salesforce-related security incident
Instructure published an update about a separate security incident affecting its Salesforce environment that was tied to social engineering. Later reporting said ShinyHunters claimed responsibility for this 2025 breach.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
50 references tracked. Mallory keeps watching after this page renders.
Troy Hunt: Weekly Update 505
troyhunt.com
Open sourceThreat Campaign Targets School Login Systems After Alleged Instructure Hack - CySecurity News - Latest Information Security and Hacking Incidents
cysecurity.news
Open sourceSecurity Incident Update & FAQs | Instructure
instructure.com
Open sourceRansomware Attack Disrupts Grading Platform Used by LBUSD Cal State and LBCC - CySecurity News - Latest Information Security and Hacking Incidents
cysecurity.news
Open sourceUniversiteiten en hogescholen blokkeren studie-app Canvas na hack
nos.nl
Open sourceNUS named in global data breach list | The Straits Times
straitstimes.com
Open sourceCyberattack on Canvas system causes chaos for students at thousands of schools | AP News
apnews.com
Open sourceHack Shuts Down Canvas, an Online System Used by Thousands of Schools | PCMag
pcmag.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Infinite Campus says Salesforce account breach exposed school staff contact data
Infinite Campus, a major U.S. K-12 student information system provider, disclosed a security incident after a threat actor accessed an employee’s **Salesforce** account used for internal case management and ticketing and then attempted to extort the company. The company said the intrusion did **not** reach its student information system or customer databases, and that the data believed exposed was limited mainly to school staff names and contact details, much of it already publicly available. Threat actor **ShinyHunters** claimed responsibility, added Infinite Campus to its leak site, and threatened to publish allegedly stolen Salesforce records and internal corporate data if the company did not negotiate. Infinite Campus said it disabled the compromised account, began reviewing potentially affected Salesforce data for sensitive information that may have appeared in support tickets, and is notifying districts directly if further issues are identified. As a precaution, it also disabled some customer-facing services for organizations without IP restrictions while restoration work continued. The incident drew attention across the K-12 sector, with the North Carolina Department of Public Instruction saying it was in direct contact with the company and had not confirmed any impact to the state’s system, while Infinite Campus maintained that **no student data was breached**.
Mar 28, 2026
Ransomware and data-breach disclosures across education, critical infrastructure, and healthcare
Rome’s **La Sapienza University** shut down network systems as a precaution after a cyberattack caused widespread disruption and left its website offline; Italian media attributed the incident to a suspected ransomware operation linked to pro-Russian actor **Femwar02**, with reported tradecraft resembling **Bablock/Rorschach**-style fast encryption. Separately, Romania’s national oil pipeline operator **Conpet** reported a cyberattack that disrupted corporate IT and took down `www.conpet.ro` while leaving **OT/SCADA** and pipeline transport operations unaffected; **Qilin** claimed responsibility, alleging theft of nearly **1TB** of data and posting sample documents (including financial data and passport scans) to support extortion claims. In the U.S., government services contractor **Conduent** faced expanding breach impact from its January 2025 ransomware incident, with notifications indicating exposure potentially reaching **dozens of millions**; reported affected data includes **names, Social Security numbers, and medical/health insurance information**, with at least **15.4M** impacted in Texas and **10.5M** in Oregon per state disclosures. Additional healthcare-sector disclosures included a ransomware-linked intrusion at **Insightin Health** (unauthorized access in September 2025; **Medusa** claimed exfiltration of **378GB**) and a separate compromise at **Clinic Service Corporation** (August 2025 access window), while **Central Ozarks Medical Center** reported a criminal cyberattack affecting **11,818** individuals with exposure of PHI/PII (including SSNs and financial/insurance data). Other items in the set were not incident-specific: an **HHS-OIG** audit describing web application security weaknesses at a large hospital, and general guidance/education pieces on the value of medical records to attackers and **CISA** insider-threat guidance.
Mar 21, 2026
ShinyHunters Claims Carnival and Udemy Breaches in Extortion Campaign
ShinyHunters claimed responsibility for a major breach affecting Carnival Corporation, with data tied to Holland America Line’s **Mariner Society** loyalty program appearing online after an alleged extortion attempt failed. According to Have I Been Pwned, the leaked dataset contained **8.7 million records** and **7.5 million unique email addresses**, including names, dates of birth, genders, and loyalty program status details. Carnival acknowledged a security incident and said it had identified a phishing attack involving a single user account, while continuing to assess the scope of unauthorized access; the gang separately alleged it also stole terabytes of internal corporate data, a claim that had not been independently verified. The same group also posted a **"Pay or Leak"** notice claiming it had compromised Udemy and stolen more than **1.4 million user records** along with internal corporate data, giving the company a deadline before any public release. Udemy had not confirmed the incident at the time of reporting, leaving the claim unverified, but the allegation fits a broader ShinyHunters campaign targeting SaaS and education organizations through social engineering, credential theft, MFA bypass, and abuse of third-party access. The incidents underscore the group’s continued use of extortion-backed data theft to pressure victims and expose customer information.
May 6, 2026