The Canvas Hack: How ShinyHunters Breached Instructure and What Schools Should Do Next

• ShinyHunters breached Canvas by exploiting the Free-For-Teacher account program, a freemium tier that shared production infrastructure with paid institutional tenants but applied weak identity verification.
• It was the second ShinyHunters attack against Instructure in eight months, following a September 2025 social engineering campaign, which signals systematic targeting, not opportunistic access.
• Confirmed exposed data includes student names, email addresses, student ID numbers and private Canvas messages, though ShinyHunters claims a far larger dataset that Instructure has not confirmed.
• The stolen data enables spear phishing attacks that reference real course names, private messages and student IDs, making them far harder to spot than generic phishing emails.
• Any potentially impacted institutions should rotate API credentials, audit third-party Canvas integrations and deploy targeted phishing awareness communications now.
• The Canvas breach is a warning about freemium tiers in enterprise SaaS, where lower-friction onboarding paths that share production infrastructure can become exploitation gaps.

When Canvas went dark during final exams, thousands of institutions got a reminder that the most critical systems in higher education are also the most attractive targets for cybercriminals.

Instructure, the company behind the Canvas learning management system (LMS), confirmed that attackers gained unauthorized access to production Canvas data, exposing student names, email addresses, student ID numbers and private messages across an estimated 9,000 schools worldwide. The group responsible was ShinyHunters, one of the most prolific data theft and extortion operations active today.

This incident wasn’t a sophisticated zero-day attack against hardened enterprise infrastructure. It was an exploitation of a freemium account tier with weaker identity verification standards that shared production systems with paid institutional customers.

The lesson for higher education IT leaders isn’t just about Canvas. It’s about what happens when SaaS vendor trust boundaries don’t match the sensitivity of the data they protect.

Who Is ShinyHunters?

ShinyHunters – cheekily named after a type of gamer who tracks down alternate-color, or “shiny” monsters in the Pokémon video game series – has operated as a data theft and extortion group since 2020, when it first appeared publicly by listing stolen databases on underground markets with the methodical efficiency of a commercial operation. The group functions less like a traditional criminal organization and more like a brand or franchise, with a small number of core members who coordinate large-scale campaigns and a broader network of affiliates who operationalize them.

Their most consequential campaign to date was the 2024 Snowflake credential theft wave, which compromised approximately 165 organizations including AT&T, Ticketmaster and Santander Bank. That attack didn’t exploit a platform vulnerability in Snowflake. It exploited stolen credentials replayed against accounts that lacked multi-factor authentication (MFA), a credential and configuration control failure that cascaded across hundreds of millions of records.

The group’s tactics continue to evolve. According to Google Cloud’s Mandiant threat intelligence unit, ShinyHunters shifted from basic data exfiltration to voice phishing and social engineering campaigns directly targeting SaaS platforms. Arrests of individual members in Canada and France haven’t dismantled the operation, which continues to function as an extortion-as-a-service model, using breach claims and public disclosure deadlines to pressure institutions into payment.

The group specifically targets organizations that provide services to multiple other organizations. A single breach at a cloud data platform, a CRM provider or an LMS company cascades across thousands of downstream victims simultaneously. That’s not a coincidence; it’s a deliberate strategic choice that maximizes extortion leverage per breach.

How Did the Canvas Data Breach Happen?

Instructure confirmed that the attacker exploited an issue related to the Free-For-Teacher account program. Free-For-Teacher accounts let educators create Canvas accounts without institutional affiliation or formal verification, giving them access to Canvas features for classroom use. These accounts didn’t run on a separate sandbox or testing environment. They ran on production Canvas infrastructure, the same systems that housed institutional course data, student records and private messages.

This is a standard architecture in multi-tenant SaaS, where multiple customers share the same infrastructure and data separation relies on configuration rather than physical separation. When implemented correctly, tenant isolation prevents one customer’s breach from affecting others. When the identity verification step in a freemium tier is weaker than the production environment it connects to, that isolation depends on attackers not discovering the gap.

ShinyHunters found it.

Instructure detected the unauthorized activity on April 29 and immediately revoked the attacker’s access, rotated privileged credentials and API keys and engaged forensic investigators and law enforcement. ShinyHunters publicly claimed responsibility on May 3 and launched an extortion campaign with an initial deadline of May 7, later extended to May 12. On May 7, Canvas was taken offline for investigation. ShinyHunters defaced the login pages of multiple institutions with ransomware messages during the breach window.

The details of these defacements are important. Replacing a login page requires more than read-only data access. It requires write access to tenant configuration, UI customization settings or front-end template files. It suggests the attacker operated at a privilege level that extended beyond data exfiltration into operational control over how institutions presented their Canvas environments to users. Instructure has not confirmed the full scope of write access involved, and the forensic investigation is ongoing.

This breach wasn’t Instructure’s first encounter with ShinyHunters. In September 2025, the group targeted Instructure’s Salesforce environment through a social engineering attack. Instructure confirmed that attackers did not reach Canvas product data in that incident. The two breaches targeted separate infrastructure through distinct attack methods, but together they represent a pattern of sustained targeting against a single vendor across eight months.

What Data Was Exposed in the Canvas Breach?

Instructure confirmed exposure of names, email addresses, student ID numbers and some private messages between Canvas users. The company stated it found no evidence that passwords, dates of birth, government identifiers or financial information were involved. Instructure’s statement reflects what investigators found at that point in time, not necessarily the full scope of what was taken.

ShinyHunters claimed credit for a significantly larger breach. The group’s disclosure listed:

• 65 terabytes of data covering approximately 275 million individuals across roughly 9,000 schools
• Billions of private messages
• Named institutions including the University of Pennsylvania (306,000 affiliates), Harvard, MIT, Oxford and the University of North Carolina system
• School districts across Texas, California and other states, and educational organizations in Australia and the EU

Instructure has not confirmed any of these figures.

The exposure window ran from April 30 to May 7, 2026, when Instructure shut down the Free-For-Teacher program permanently and completed credential rotation. Eight days is a short window; the downstream risk, however, isn’t.

Why Is the Stolen Data So Dangerous?

Student names, email addresses and student ID numbers are useful for fraud. Private Canvas messages are something more specific. They give an attacker the ability to craft phishing lures that reference real course interactions, instructor names and conversation content that only a legitimate participant in that Canvas environment would know.

A generic phishing email claiming a Canvas password reset might be easy to spot. However, an email that quotes a specific private Canvas message, references a course the student is enrolled in and uses their actual student ID establishes false credibility.

Times Higher Education flagged this as the primary downstream risk from the breach: Attackers can use stolen Canvas data to craft targeted lures that look nothing like the generic phishing emails users have learned to spot.

The phishing surface extends beyond the initial breach window because the stolen data remains usable indefinitely. Attackers don’t need to breach your institution’s network directly when they can use your students’ Canvas data to social-engineer credentials, deliver malware through course-material spoofs or escalate access through faculty accounts. Elevated phishing risk is a long-term condition.

Higher education is already the most heavily targeted sector for phishing attacks. According to the UK Cyber Security Breaches Survey, 97% of higher education institutions reported phishing attacks, a rate higher than any other sector surveyed. The Canvas breach adds a layer of personalization that makes it materially harder to defend against just through awareness training.

What Should Your Institution Do Now?

Your incident response clock is already running. Work through these in order:

1. Re-authorize all third-party Canvas integrations against Instructure’s new API keys, starting with LTI tools in Settings > Apps, API integrations under Developer Keys and SSO configurations using SAML or OAuth against identity providers like Microsoft Entra ID or Okta
2. Rotate any local copies of OAuth tokens, LTI secrets or API keys your IT team maintains that touched Canvas during the exposure window of April 30 to May 7
3. Audit Canvas logs for anomalous activity during the exposure window, specifically accounts with external email addresses that accessed courses or private messages, logins from unexpected geographic locations and administrative actions by accounts without expected privileges
4. Send targeted phishing warning communications to students, faculty and staff now, telling them specifically that attackers may reference real course names, Canvas messages or student IDs to appear legitimate, and that any unusual request should be verified through a separate channel before acting on it
5. Notify your cyber insurance carrier of the incident
6. Engage with Internet2 if your Canvas contract runs through the Net+ program
7. Request log access and forensic validation support directly from Instructure

EDUCAUSE, the nonprofit association serving higher education IT leaders, has been explicit that these shouldn’t be considered optional steps. Rather, they’re the difference between a managed incident and a prolonged exposure.

What Does This Breach Reveal About Learning Management System Security?

The Canvas breach exposes a structural problem that extends well beyond Instructure. Freemium tiers in enterprise SaaS products frequently ship with weaker identity verification than paid tenants while sharing back-end infrastructure with the production environment.

The economic logic of this approach is sound: lower-friction onboarding converts more free users into paying customers. The security logic is not: when that verification gap becomes a point of exploitation, the multi-tenant isolation model collapses.

Higher education IT teams have limited visibility into how their SaaS vendors architect these tiers. Most vendor security documentation describes data isolation controls for paid tenants without addressing how freemium account programs interact with production infrastructure. The Canvas incident is a case study in what happens when that architecture question goes unasked during procurement.

The broader pattern is also worth noting. A 2026 survey from Inside Higher Ed and Hanover Research found that 59% of campus CTOs identified cybersecurity threats as one of the biggest risks their institutions would face by 2030, second only to talent retention. Yet the same survey found institutions struggling with the pace of technology change and rising IT costs, precisely the conditions that push security review to the back of the procurement process.

The Congressional response adds weight to what the breach itself already implied. The House Committee on Homeland Security sent a letter to Instructure CEO Steve Daly requesting a briefing on why the company was breached twice by the same threat actor within a matter of weeks. The committee’s central question, whether remediation after the September 2025 Salesforce incident was thorough enough to prevent the May 2026 Canvas breach, is the same question every institution relying on Canvas should be asking its vendor today.

Learning management system security deserves the same vendor scrutiny as any other enterprise platform touching sensitive student data. Before signing or renewing any LMS contract, institutions should ask:

• How do freemium or trial account tiers interact with production infrastructure, and do they share back-end systems with paid institutional tenants?
• What identity verification requirements apply before a free account can access any data connected to an institutional environment?
• What logging and audit data is available to institutions if unauthorized access occurs, and is it accessible at your subscription tier or does it require vendor support to retrieve?

Instructure’s inability to provide institutions with logs of Free-For-Teacher account activity scoped to their specific tenants created an investigation gap that affected every school trying to assess its exposure.

How Red River Helps Higher Education Institutions Strengthen Cybersecurity

The Canvas breach is a useful stress test for higher education security programs. It exposes gaps in four areas that most institutions haven’t fully addressed:

• Identity controls: are MFA enforcement and Conditional Access policies hardened across all users, including contractors and guests?
• Third-party integrations: does your team maintain a current inventory of every tool connected to Canvas, and do you know what data each one can access?
• Log visibility: can your team investigate unauthorized access after the fact, or does your subscription tier limit what you can see?
• Phishing defense: are your awareness programs built for targeted attacks that reference real student data, or generic ones that trained users already know how to spot?

Red River works with higher education institutions to assess and strengthen exactly these areas. Our cybersecurity managed services practice helps higher education institutions build proactive security programs that identify gaps before an attacker does. We cover:

• Identity and access management hardening across all user types
• Third-party integration security and vendor risk assessment
• Security operations center monitoring and incident response
• Phishing defense programs built for targeted attacks, not just generic awareness training

If your institution is working through the Canvas breach response or wants to assess your broader security posture before the next incident, contact Red River to start the conversation.

Frequently Asked Questions