Update (May 8, 2026): Instructure confirmed the Canvas incident involved two phases of unauthorized activity, including a second event on May 7 that briefly took the platform offline.
The company said the attacker gained access on April 29 by exploiting Free-For-Teacher accounts, and reused the same method to modify pages seen by some logged-in users during the May 7 activity.
Data taken in the April 29 incident includes names, email addresses, student ID numbers, and user messages. Instructure stated no passwords, government identifiers, or financial data were accessed, and found no evidence of data theft during the May 7 activity.
Free-For-Teacher accounts have been shut down, credentials and tokens revoked, and additional safeguards deployed. Canvas is now back online, with no evidence the attacker still has access.
The company also noted that it has not found evidence of data exfiltration during the May 7 activity. As part of its response, Instructure has shut down Free-For-Teacher accounts, revoked tokens and credentials, rotated internal keys, and deployed additional monitoring and safeguards across the platform.
Canvas is now back online, and Instructure stated that its forensic partners have found no evidence that the threat actor currently maintains access to the platform.
Update (May 7, 2026): The ShinyHunters listing for Instructure has been removed from the group’s leak site, where it was previously presented as part of a pay-or-leak extortion demand. The removal may indicate that negotiations are underway between the threat actor and the company, though this has not been confirmed. It remains unclear whether any agreement has been reached or if the data will be published at a later stage.
Update (May 6, 2026): ShinyHunters has published an additional download link that reportedly contains a list of institutions affected by the alleged Canvas LMS breach. The dataset appears to include hundreds of universities, school districts, and education platforms worldwide, suggesting a significantly broader scope than what Instructure has publicly confirmed. BreachNews has reviewed the list and found it aligns with the group’s earlier claims of widespread institutional impact, though the accuracy and relationship of these organizations to the confirmed breach remain unverified.
Instructure has confirmed that a cyberattack led to unauthorized access to user data, while the ShinyHunters threat group claims responsibility and alleges a far broader breach impacting hundreds of millions of individuals.
The U.S.-based education technology company, best known for its Canvas learning management system, disclosed the incident on May 2, stating that it is working with third-party cybersecurity experts and law enforcement to investigate the scope and impact. The company later confirmed that personal information belonging to users at affected institutions was exposed.
At time of publication, Instructure had not issued any public statement addressing the specific claims made by ShinyHunters.
Company confirms exposure of user data and communications
According to Instructure, the data accessed in the incident includes identifying information such as names, email addresses, and student ID numbers, along with messages exchanged between users on the platform.
The company stated that it has not found evidence that more sensitive data such as passwords, dates of birth, government identifiers, or financial information were involved. However, the investigation remains ongoing, and the scope of impacted institutions has not been publicly disclosed.
The inclusion of user messages suggests the breach may extend beyond basic account data, potentially exposing private communications between students, teachers, and staff.
ShinyHunters claims significantly larger dataset
Shortly after the disclosure, ShinyHunters listed Instructure on its data leak site, claiming responsibility for the attack and alleging a much larger data theft than what has been confirmed by the company.
The group claims the breach affects thousands of educational institutions worldwide and involves data tied to hundreds of millions of individuals, including students, teachers, and administrative staff. The alleged dataset is said to include personal information, course enrollment data, and large volumes of private messages exchanged on the platform.
Attack vector and timeline remain unclear
The threat group claims the data was obtained through exploitation of a vulnerability in Instructure’s systems that has since been patched. However, no technical details have been provided to support this claim, and Instructure has not confirmed the method of access.
It is also unclear when the breach occurred or how long attackers may have had access to affected systems. The lack of detail around initial access and dwell time leaves open questions about the full extent of the compromise.
Response measures and required customer actions
In response to the incident, Instructure says it has deployed patches, increased system monitoring, and rotated application keys as a precaution.
Customers using Instructure’s APIs are required to re-authorize access in order to receive new application keys, indicating that credential or token exposure may be part of the company’s risk assessment.
Scale and impact still under investigation
The discrepancy between what Instructure has confirmed and what ShinyHunters claims highlights the uncertainty surrounding the breach. While the company has acknowledged data exposure, the full scale, affected user base, and potential downstream risks remain unclear.
If the threat actor’s claims are accurate, the incident could represent one of the largest breaches affecting education platforms, with implications for student privacy and institutional data security across multiple regions.
Until further details are confirmed, affected organizations and users should monitor for suspicious activity, particularly phishing attempts or unexpected communications referencing coursework, accounts, or institutional access.
