Stored XSS in Canvas Support Workflow Exposed Data on 275 Million Students
Instructure's Canvas learning platform was reportedly breached after attackers used a stored cross-site scripting (XSS) payload embedded in a support ticket attachment, which executed when a support representative opened it. The intrusion was attributed to ShinyHunters, which allegedly hijacked the employee's authenticated session and used it to exfiltrate data tied to thousands of educational institutions, affecting an estimated 275 million students. Reporting on the incident says Instructure detected suspicious API activity on April 29, revoked access by April 30, and later faced scrutiny over weak browser-side protections, broad session scope, and unsafe rendering of untrusted content.
The attackers were also reported to have exploited a second stored XSS flaw in Canvas discussions to gain administrator-level access and deface about 300 school login portals with ransom messages during finals and AP exams. The fallout included a Federal Student Aid security alert, a congressional inquiry, and claims that Instructure later shut down its Free-for-Teacher program permanently. Separate reporting also said the company reached an agreement with the attackers amid reports of a $10 million ransom payment, turning the incident into one of the most consequential education-sector breaches tied to application-layer trust failures.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Instructure permanently shuts down Free-for-Teacher program
The article states that Instructure later permanently shut down its Free-for-Teacher program following the breach. No explicit date for this action is given in the provided content.
Instructure reportedly reaches agreement with ShinyHunters
According to the article, Instructure later reached an agreement with ShinyHunters amid reports of a $10 million ransom payment. The source does not provide a specific date for this reported agreement.
Congress opens inquiry into the Canvas breach
The reporting states that Congress opened an inquiry into the incident following the breach disclosures. No specific date for the inquiry was provided in the source content.
Second stored XSS used to gain administrator access and deface portals
The attacker later reportedly exploited a second stored XSS vulnerability in Canvas discussions to obtain administrator-level access. This access was then used to deface about 300 school login portals with a ransom message during finals and AP exams.
Student data exfiltrated from thousands of educational institutions
Using the compromised authenticated session, the attacker reportedly exfiltrated data affecting thousands of educational institutions. The reporting describes the breach as exposing data tied to roughly 275 million students.
Attacker compromises Canvas support rep via stored XSS in support ticket
According to the referenced reporting, the initial breach began when a stored XSS payload embedded in a support ticket attachment executed as a Canvas support representative opened it. The attacker then abused the representative’s authenticated session to access Canvas data.
Federal Student Aid office issues security alert
The U.S. Department of Education’s Federal Student Aid office issued a security alert on May 12, 2026, in response to the incident. The alert is cited in the reporting as part of the broader official response.
Instructure revokes attacker access
By April 30, 2026, Instructure had reportedly revoked the attacker’s access. This was described as the company’s immediate containment action following detection.
Instructure detects suspicious API activity
Instructure reportedly detected suspicious API activity associated with the breach on April 29, 2026. This marked the company’s discovery of the malicious activity described in the reporting.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Canvas Breach Disrupted Schools and Exposed User Data via Free-for-Teacher Flaw
A cyberattack against Instructure’s **Canvas** platform disrupted universities and K-12 schools across the United States, with major California institutions including UC, CSU, USC, Stanford, and community colleges reporting outages and academic disruption during finals. Ransom notes attributed to **ShinyHunters** appeared on some school homepages, and the FBI said it was assisting victims in multiple states while warning students and staff not to engage with extortionists or scammers. Schools extended deadlines, changed exam schedules, and shifted to alternate communication channels as Canvas services were restored. Instructure said an unauthorized actor exploited a vulnerability tied to support tickets in its **Free for Teacher** environment, which the company temporarily disabled while conducting a broader security review. The company later confirmed unauthorized access to part of its environment and said exposed data could include usernames, email addresses, course names, enrollment information, student ID numbers, and user messages, while passwords, dates of birth, government identifiers, financial data, course content, submissions, and credentials were not compromised. The incident renewed scrutiny of centralized education technology providers after earlier education-sector extortion cases, including reports that **PowerSchool** paid a ransom following claims that data on **62 million students** had been stolen.
Jun 3, 2026
ShinyHunters Breached Canvas, Stole Student Data, and Forced Global School Outages
Instructure, the company behind the Canvas learning management system, disclosed that a criminal threat actor breached its environment and stole user data from affected educational institutions. The company said the exposed information included **names, email addresses, student ID numbers, course and enrollment details, and messages between users**, while it found no evidence that passwords, dates of birth, government identifiers, financial information, course content, or student submissions were compromised. Reporting tied the intrusion to the **ShinyHunters** extortion group, which claimed far broader impact—up to **3.65 TB** of data and roughly **275 million records** across nearly **9,000 schools**—though those figures were not independently verified. Instructure said the attackers exploited flaws in its **Free-for-Teacher** environment, brought in outside forensic experts, notified law enforcement, revoked privileged credentials and access tokens, rotated keys, patched systems, and required some customers to reauthorize API access. The incident escalated when attackers allegedly reused the same access path to deface Canvas login portals with ransom messages, prompting Instructure to temporarily take Canvas offline and suspend Free-for-Teacher accounts while it contained the activity. The outage disrupted universities and schools across the U.S., Canada, Australia, Europe, and Asia during final exams, forcing some institutions to postpone tests, extend deadlines, or block access as a precaution. Instructure later said it reached an agreement with the threat actor under which the stolen data was returned and deletion was purportedly confirmed, but the company acknowledged there is no guarantee criminals actually destroyed their copies. The breach has since triggered warnings about follow-on phishing and impersonation campaigns, lawsuits, and scrutiny from the **U.S. House Homeland Security Committee** over how the same platform was compromised twice in quick succession.
Jun 8, 2026
ShinyHunters Defaces Canvas Login Portals in Instructure Extortion Attack
ShinyHunters defaced **Canvas** login portals used by hundreds of colleges and universities after claiming a second compromise of Instructure, the education technology company behind the platform. The attackers displayed ransom messages on school login pages and in the Canvas app, threatening to leak stolen student and staff data unless Instructure entered negotiations by **May 12**. Reports said roughly **330 institutions** saw the defacement, which was linked to an injected HTML file and forced Instructure to take parts of Canvas offline while investigating. The disruption hit during a critical academic period, causing login failures, coursework interruptions, and warnings from universities about phishing and delayed assignments. The defacement followed Instructure’s earlier disclosure that attackers had stolen data tied to thousands of schools using Canvas. ShinyHunters claimed the haul included hundreds of millions of records from nearly **9,000 schools and education platforms**, including user records, private messages, and enrollment data obtained through Canvas export features and APIs. Instructure said stolen information included certain identifying data and user messages, but that it found no evidence of exposure of passwords, dates of birth, government identifiers, or financial information. Subsequent reporting said the intrusion was tied to an issue involving **Free-for-Teacher** accounts, those accounts were temporarily shut down, affected organizations were notified, and Instructure later said it paid the extortionists, received the data back, and obtained confirmation that the stolen files were destroyed.
May 10, 2026