Canvas Breach Disrupted Schools and Exposed User Data via Free-for-Teacher Flaw
A cyberattack against Instructure’s Canvas platform disrupted universities and K-12 schools across the United States, with major California institutions including UC, CSU, USC, Stanford, and community colleges reporting outages and academic disruption during finals. Ransom notes attributed to ShinyHunters appeared on some school homepages, and the FBI said it was assisting victims in multiple states while warning students and staff not to engage with extortionists or scammers. Schools extended deadlines, changed exam schedules, and shifted to alternate communication channels as Canvas services were restored.
Instructure said an unauthorized actor exploited a vulnerability tied to support tickets in its Free for Teacher environment, which the company temporarily disabled while conducting a broader security review. The company later confirmed unauthorized access to part of its environment and said exposed data could include usernames, email addresses, course names, enrollment information, student ID numbers, and user messages, while passwords, dates of birth, government identifiers, financial data, course content, submissions, and credentials were not compromised. The incident renewed scrutiny of centralized education technology providers after earlier education-sector extortion cases, including reports that PowerSchool paid a ransom following claims that data on 62 million students had been stolen.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
11 events from the most recent confirmed update back to the earliest known activity.
Instructure identifies exploited Free for Teacher support-ticket vulnerability
In its May 20, 2026 update, Instructure said the attacker exploited a vulnerability related to support tickets in its Free for Teacher environment and that the service had been temporarily disabled pending review.
Instructure publishes incident update and exposed-data details
On May 20, 2026, Instructure disclosed unauthorized access to part of its environment, listed exposed fields including usernames, email addresses, course names, enrollment information, and messages, and said credentials and course content were not compromised.
Instructure says it reached agreement to prevent data publication
On 2026-05-11, Instructure said it had reached an agreement intended to prevent publication of data stolen in the Canvas attack and had received evidence that the data was deleted. The reference notes that such assurances from threat actors should not be fully trusted.
ShinyHunters claims University of California data breach
By 2026-05-10, reporting said ShinyHunters claimed the University of California was among the organizations affected in the Canvas-related breach, identifying a specific victim tied to the broader Instructure incident.
FBI begins assisting victims in multiple states
As the Canvas incident unfolded in early May 2026, the FBI said it was assisting affected organizations in multiple states and warned victims not to engage with extortionists or scammers.
Instructure restores Canvas and disables Free-For-Teacher accounts
By May 8, 2026, Instructure said it had restored broader Canvas access after temporarily shutting down Free-For-Teacher accounts tied to the exploited issue.
ShinyHunters claims responsibility for Canvas attack
During the May 7, 2026 disruption, the extortion group ShinyHunters claimed it had breached Instructure and accessed data from millions of students, teachers, and staff.
Canvas outage and extortion messages disrupt schools nationwide
On May 7, 2026, a cyberattack disrupted Instructure's Canvas platform during finals period, with ransom notes appearing on multiple school homepages and causing universities and K-12 schools to extend deadlines and use alternate channels.
Instructure suffers initial Canvas security incident
On or around May 1, 2026, Instructure experienced a cybersecurity incident affecting Canvas in which data such as usernames, email addresses, student ID numbers, and communications from some institutions appeared to have been exposed.
Hacker claims theft of 62 million students' PowerSchool data
By January 22, 2025, a threat actor claimed to have stolen data belonging to 62 million students from PowerSchool, escalating the apparent scale of the incident.
PowerSchool reportedly pays ransom after student data theft
Reporting on January 9, 2025 said PowerSchool paid a ransom in an effort to prevent leaked publication of stolen student data following a breach affecting school records.
Sources
12 references tracked. Mallory keeps watching after this page renders.
Canvas attack aftermath: What risks come next? | SOPHOS
sophos.com
Open sourceCanvas attack aftermath: What risks come next? | SOPHOS
sophos.com
Open sourceSecurity Incident Update & FAQs | Instructure
instructure.com
Open sourceInstructure Canvas Outage - JMU
jmu.edu
Open sourceCanvas data breach hits UC, CSU, USC, Stanford, community colleges - Los Angeles Times
latimes.com
Open sourceCanvas hack: What we know about apparent cyberattack that impacted thousands of schools | CNN
edition.cnn.com
Open sourcePowerSchool hacker claims they stole data of 62 million students
bleepingcomputer.com
Open sourcePowerSchool Reportedly Pays Ransom to Prevent Student Data Leak - Infosecurity Magazine
infosecurity-magazine.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ShinyHunters Breached Canvas, Stole Student Data, and Forced Global School Outages
Instructure, the company behind the Canvas learning management system, disclosed that a criminal threat actor breached its environment and stole user data from affected educational institutions. The company said the exposed information included **names, email addresses, student ID numbers, course and enrollment details, and messages between users**, while it found no evidence that passwords, dates of birth, government identifiers, financial information, course content, or student submissions were compromised. Reporting tied the intrusion to the **ShinyHunters** extortion group, which claimed far broader impact—up to **3.65 TB** of data and roughly **275 million records** across nearly **9,000 schools**—though those figures were not independently verified. Instructure said the attackers exploited flaws in its **Free-for-Teacher** environment, brought in outside forensic experts, notified law enforcement, revoked privileged credentials and access tokens, rotated keys, patched systems, and required some customers to reauthorize API access. The incident escalated when attackers allegedly reused the same access path to deface Canvas login portals with ransom messages, prompting Instructure to temporarily take Canvas offline and suspend Free-for-Teacher accounts while it contained the activity. The outage disrupted universities and schools across the U.S., Canada, Australia, Europe, and Asia during final exams, forcing some institutions to postpone tests, extend deadlines, or block access as a precaution. Instructure later said it reached an agreement with the threat actor under which the stolen data was returned and deletion was purportedly confirmed, but the company acknowledged there is no guarantee criminals actually destroyed their copies. The breach has since triggered warnings about follow-on phishing and impersonation campaigns, lawsuits, and scrutiny from the **U.S. House Homeland Security Committee** over how the same platform was compromised twice in quick succession.
Jun 8, 2026
ShinyHunters Defaces Canvas Login Portals in Instructure Extortion Attack
ShinyHunters defaced **Canvas** login portals used by hundreds of colleges and universities after claiming a second compromise of Instructure, the education technology company behind the platform. The attackers displayed ransom messages on school login pages and in the Canvas app, threatening to leak stolen student and staff data unless Instructure entered negotiations by **May 12**. Reports said roughly **330 institutions** saw the defacement, which was linked to an injected HTML file and forced Instructure to take parts of Canvas offline while investigating. The disruption hit during a critical academic period, causing login failures, coursework interruptions, and warnings from universities about phishing and delayed assignments. The defacement followed Instructure’s earlier disclosure that attackers had stolen data tied to thousands of schools using Canvas. ShinyHunters claimed the haul included hundreds of millions of records from nearly **9,000 schools and education platforms**, including user records, private messages, and enrollment data obtained through Canvas export features and APIs. Instructure said stolen information included certain identifying data and user messages, but that it found no evidence of exposure of passwords, dates of birth, government identifiers, or financial information. Subsequent reporting said the intrusion was tied to an issue involving **Free-for-Teacher** accounts, those accounts were temporarily shut down, affected organizations were notified, and Instructure later said it paid the extortionists, received the data back, and obtained confirmation that the stolen files were destroyed.
May 10, 2026
Stored XSS in Canvas Support Workflow Exposed Data on 275 Million Students
Instructure's Canvas learning platform was reportedly breached after attackers used a **stored cross-site scripting (`XSS`) payload** embedded in a support ticket attachment, which executed when a support representative opened it. The intrusion was attributed to **ShinyHunters**, which allegedly hijacked the employee's authenticated session and used it to exfiltrate data tied to thousands of educational institutions, affecting an estimated **275 million students**. Reporting on the incident says Instructure detected suspicious API activity on April 29, revoked access by April 30, and later faced scrutiny over weak browser-side protections, broad session scope, and unsafe rendering of untrusted content. The attackers were also reported to have exploited a second stored `XSS` flaw in Canvas discussions to gain administrator-level access and deface about **300 school login portals** with ransom messages during finals and AP exams. The fallout included a **Federal Student Aid** security alert, a congressional inquiry, and claims that Instructure later shut down its **Free-for-Teacher** program permanently. Separate reporting also said the company reached an agreement with the attackers amid reports of a **$10 million ransom payment**, turning the incident into one of the most consequential education-sector breaches tied to application-layer trust failures.
Jun 17, 2026