Instructure disclosed a major breach of its Canvas learning management system after the ShinyHunters group allegedly exploited a vulnerability in the platform’s Free-For-Teacher account program on April 30, 2026. The attackers claimed to have stolen data on 275 million individuals, including student, faculty, and staff information and private messages between students and teachers, with reports estimating about 3.65 TB of exfiltrated data. The incident was reported to affect thousands of institutions worldwide, with cited impact ranging from 8,809 to roughly 15,000 schools and organizations across the U.S., Europe, and the U.K.
After Instructure initially chose to patch systems rather than negotiate, ShinyHunters escalated the campaign by defacing Canvas login portals and disrupting final examinations at multiple universities when a ransom deadline approached. Instructure later suspended the Canvas portal during the fallout, and subsequent reporting said the company paid a ransom after receiving digital confirmation that the stolen data had been destroyed and that customers would not face further extortion. The operation was characterized as a pay-or-leak extortion campaign that abused account access, application-layer weaknesses, and platform or API functionality rather than deploying malware or encrypting systems.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
6 events from the most recent confirmed update back to the earliest known activity.
In September 2025, ShinyHunters reportedly breached Instructure’s Salesforce business systems through social engineering. The source notes no public confirmation that this earlier intrusion directly enabled the later Canvas compromise.
On 2026-05-12, it was reported that Instructure paid a ransom and said it received digital confirmation that the stolen data had been destroyed. The company also said customers would not be extorted.
On 2026-05-07, Instructure suspended the Canvas portal as the incident disrupted some schools’ final exams. This was reported alongside the widening operational impact of the breach.
On 2026-05-07, ShinyHunters escalated the campaign by defacing Canvas login portals across affected institutions and setting a ransom deadline of 2026-05-12. The disruption affected final examinations at multiple universities.
On 2026-05-01, Instructure confirmed a major data breach affecting its Canvas learning management system. Reporting said the incident had broad impact across institutions in the U.K., Europe, and the U.S.
On 2026-04-30, ShinyHunters exploited a vulnerability in Instructure’s Free-For-Teacher account program to gain unauthorized access to Canvas. The group allegedly stole about 275 million records and exfiltrated roughly 3.65 TB of data affecting thousands of institutions.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.