[CRITICAL] | Active extortion campaign | Exposure window closed | Credential rotation and phishing defense required
In early May 2026, Instructure confirmed a breach affecting its Canvas learning platform after detecting unauthorized activity on May 1. This is the second ShinyHunters attack against Instructure in eight months. The September 2025 incident targeted Salesforce business systems through social engineering. The May 2026 incident exploited the Free-For-Teacher account program, directly compromising the Canvas platform itself. The exposure window ran from 30 April to 7 May 2026. Instructure has confirmed exposure of names, email addresses, student IDs, and some private messages. Schools must rotate API credentials, monitor for personalized phishing, and assess Free-For-Teacher account usage in their environments.
9 May 2026: Initial publication. Exposure window closed 7 May when Canvas restored and Free-For-Teacher program permanently shut down. As of 7 May, which was the original payment deadline, ShinyHunters extended the ransom deadline to 12 May 2026. Instructure forensic investigation ongoing.
On 1 May 2026, Instructure publicly confirmed unauthorized activity in its Canvas Learning Management System, detected 29 April 2026. ShinyHunters claimed responsibility on 3 May 2026 and launched a public extortion campaign with a 7 May deadline, later extended to 12 May 2026. Instructure took Canvas, Canvas Beta, and Canvas Test offline for investigation on 7 May and restored service the following day after permanently shutting down the Free-For-Teacher account program. According to some reports, some users may experience, or have experienced, degradation of service or temporary, local, institution-level blocks.
Instructure confirmed the unauthorized actor exploited an issue related to Free-For-Teacher accounts. The company revoked privileged credentials, rotated API keys, and engaged forensic investigators and law enforcement. Confirmed exposed data includes names, email addresses, student ID numbers, and some private messages between Canvas users. Instructure states no evidence of exposure for passwords, dates of birth, government identifiers, or financial information.
ShinyHunters claims 3.6 TB of data covering approximately 275 million users across 9,000 schools; however, Instructure has not confirmed these figures. TechCrunch reported login page defacements at affected institutions, but there has been no official confirmation from Instructure about the scope of write access required for defacement. Named schools include University of Pennsylvania (306,000 affiliates), Harvard, MIT, Oxford, University of North Carolina system schools, multiple Missouri colleges, Charlotte-area K-12 districts, Rutgers, and NC State, as well as certain school districts in Texas, California, and other states. The reach of the incident has also caused impact to educational organizations in Australia and the EU.
This is ShinyHunters’ second breach of Instructure infrastructure in roughly eight months. The September 2025 incident targeted Salesforce environments through social engineering. Instructure stated at that time that no Canvas product data was accessed and exposed information was primarily public business contact details. The two incidents represent different attack classes against separate infrastructure.
Bitdefender threat intelligence and public reporting document ShinyHunters’ pattern as an extortion-as-a-service group, historically using voice phishing and social engineering for initial access. 2026 campaigns include Udemy, Figure, and Instructure. A late 2025 campaign claimed 1.5 billion Salesforce records across multiple customer environments.
Two ShinyHunters breaches at Instructure in eight months, but the attack surfaces are completely different. September 2025 was social engineering against Salesforce business systems — peripheral infrastructure with no Canvas product data. May 2026 is exploitation of the Free-For-Teacher account program, directly against the Canvas platform where institutional course data, student information, and private communications live. The vendor’s exposure pattern is not a single weakness. It is a series of underdefended adjacencies where trust boundaries between systems were weaker than the sensitivity of data they protected.
Free-For-Teacher accounts were production Canvas tenants with lower-friction onboarding. Educators could create accounts without institutional verification, gaining access to Canvas features for classroom use. These accounts shared infrastructure with paid institutional tenants — the same platform, the same data stores, logically isolated but running on shared back-end systems. That architectural choice is standard in multi-tenant SaaS (a model where multiple customers share the same software infrastructure, with data separation enforced through configuration rather than physical separation), and when implemented correctly, tenant isolation prevents one customer’s breach from affecting others. When the verification gap becomes an exploitation gap, the isolation model collapses.
Instructure has not disclosed the technical mechanism ShinyHunters used to exploit Free-For-Teacher accounts. What is confirmed: the attacker gained unauthorized access to production Canvas data, exfiltrated names, email addresses, student IDs, and private messages, and potentially defaced login pages at multiple institutions. TechCrunch reported defacement incidents, but this has not been confirmed by Instructure as activity related to the breach, and may have been a follow-on step to the initial breach. If accurate, the scale of write access this implies — mutation of tenant configuration or UI elements, not just read access to exfiltrate data — would indicate the attacker operated with elevated privileges (access rights beyond what a standard user account would permit) beyond what a standard user account would permit.
The operational problem for IT is inventory visibility. Schools have no native way to identify which Free-For-Teacher accounts accessed their institutional Canvas tenant, either legitimately through course integrations or maliciously during the exposure window. A teacher using a free account to pilot Canvas before institutional adoption may have legitimate connections to live course data. An attacker using a compromised free account has the same access patterns. Without logs showing Free-For-Teacher account activity scoped to your tenant, IT cannot distinguish between the two.
The exposure window ran from 30 April to 7 May 2026, when Instructure shut down the Free-For-Teacher program and rotated privileged credentials. The eight-day window is short. The blast radius is not. Canvas is deployed at thousands of schools globally, and the exposed PII — names, student IDs, email addresses, and private message content — is high-quality fuel for personalized phishing campaigns. A generic phishing email claiming to be from Canvas administration is easy to spot. An email that references a specific course, quotes a private Canvas message, or includes the recipient’s actual student ID establishes false credibility.
Times Higher Education flagged this as the primary downstream risk: spear phishing against students and faculty using stolen Canvas data to craft targeted lures. The attacker does not need to breach your school’s network directly when they can use your students’ Canvas data to social-engineer credentials, deliver malware through course-material spoofs, or escalate access through faculty accounts. The phishing surface extends beyond the initial breach window because the stolen data remains usable.
ShinyHunters also claims breach of Instructure’s Salesforce instance and states that individual organizations have already paid. Neither claim is independently verified. The group operates as extortion-as-a-service, using breach claims and public disclosure timelines to pressure victims into payment.
The operational lesson for IT: freemium tiers in B2B SaaS frequently ship with weaker identity verification than paid tenants while sharing back-end infrastructure with the production product. When the verification gap becomes an exploitation gap, the isolation model collapses. That is what happened here.
If you have confirmed your institution is listed in ShinyHunters’ disclosure, skip ahead to What To Do.
Instructure has not released a technical postmortem detailing the vulnerability class or exploitation method used to compromise Free-For-Teacher accounts. What is confirmed through public disclosure: the attacker exploited an issue related to the Free-For-Teacher account program, gained access to production Canvas data, and potentially achieved write access sufficient to deface login pages at multiple institutions. This section documents what the incident reveals about the operational reality of the attack based on confirmed actions and ShinyHunters’ historical tactics.
Free-For-Teacher accounts were designed to let educators create Canvas accounts without institutional affiliation or verification. These accounts ran on production Canvas infrastructure, not a separate sandbox environment. Multi-tenant SaaS platforms typically enforce logical separation between customer environments through application-layer access controls (which customer can see which data), database row-level permissions (which records belong to which tenant), and API authorization checks (which accounts can perform which actions). When these controls rely on account verification as a trust boundary, and the verification step is weakened or bypassed in a freemium tier, the isolation model depends on attackers not discovering that the lower-friction onboarding path also grants lower-scrutiny access to production tenant data.
The defacement reporting adds a second dimension. TechCrunch reported school login pages were altered during the breach window. Instructure has not officially confirmed the scope of write access required for defacement. If accurate, this implies the attacker had write access to tenant configuration, UI customization settings, or front-end template files — not just read access to exfiltrate student data. Canvas allows institutional administrators to customize login pages, branding, and authentication workflows. If the attacker gained access at a privilege level that permitted these customizations, either through privilege escalation (gaining higher permissions than initially granted) within a Free-For-Teacher account or through stolen administrative credentials, the scope of exposure extends beyond data exfiltration to operational control over tenant presentation.
Instructure’s response confirms the attack vector was closed through two actions: permanent shutdown of the Free-For-Teacher program and rotation of privileged credentials and API keys. The credential rotation indicates Instructure assessed that attacker access may have involved or compromised service-level authentication tokens, not just individual user accounts. Schools that integrated third-party tools with Canvas using LTI (Learning Tools Interoperability in which external apps are embedded in Canvas), OAuth (granting apps access without sharing passwords), or SAML (single sign-on authentication) received instructions to re-authorize those integrations after Instructure rotated its API keys. This is standard breach-response procedure when the platform’s service credentials are considered potentially compromised.
ShinyHunters’ historical tactics provide context for how the initial access likely occurred, though Instructure has not confirmed this. Bitdefender threat intelligence documents ShinyHunters’ pattern: voice phishing and social engineering to gain initial credentials, often impersonating IT support or trusted internal personnel. Another point to note is the timing of this incident, which is generally the time for finals and closing of various school projects at the end of the school year. ShinyHunters have been behind a number of noteworthy incidents in recent years, and this attack would seem to be designed for impact and notoriety. The group has targeted Salesforce environments extensively, including the September 2025 Instructure incident. The shift to exploiting a product-tier vulnerability (Free-For-Teacher accounts) rather than peripheral business systems represents an operational escalation. Whether the Free-For-Teacher exploit was a technical vulnerability (authentication bypass — logging in without valid credentials; tenant-isolation flaw — accessing another organization’s data) or an account-takeover campaign using stolen credentials, the result is the same: an underdefended trust boundary likely became an exploitation vector into production Canvas data.
The 3.6 TB data volume and 275 million user count claimed by ShinyHunters remain unverified. Instructure’s confirmed exposure list is narrower: names, email addresses, student IDs, and some private messages. The confirmed not-exposed list includes passwords, dates of birth, government identifiers, and financial information. “No evidence of exposure” is not the same as “confirmed not present in the dataset,” but Instructure’s forensic investigation is ongoing and will likely clarify scope over time.
The steps below expand on the immediate actions summarized at the top of this advisory.
Check the ShinyHunters disclosure list for your school’s name, domain, or identifying information. The list is hosted on threat-actor-controlled infrastructure: hxxp://91[.]215[.]85[.]103/pay_or_leak/instructure_affected_schools_list[.]txt. Access only from a sandboxed browser or isolated virtual environment. Do not visit from production systems.
If your institution does not appear on the list, you are likely not directly affected by this breach, but proceed to steps 3 and 4 for phishing defense and monitoring.
If your institution is listed, or if you have received direct notification from Instructure, proceed immediately to steps 2 through 4.
Instructure rotated its privileged API keys in response to the breach. Any third-party tools that integrate with your Canvas instance using API connections must be re-authorized.
Identify Canvas integrations in your environment: - Check your Canvas Admin panel under Settings > Apps for installed LTI tools (examples: Turnitin, Zoom, Google Drive, Microsoft Teams, plagiarism checkers, video conferencing tools) - Review API integrations configured through Developer Keys - Check single sign-on (SSO) configurations if your Canvas login uses SAML or OAuth with an identity provider like Microsoft Entra ID (formerly Azure AD), Okta, or Google Workspace
Re-authorize each integration: - Navigate to the app configuration in Canvas Admin > Apps - Remove and re-add the integration using fresh API credentials provided by Instructure post-rotation - Test the integration to confirm it works (attempt a login, submit a test assignment, or open an embedded tool depending on the app type)
Rotate locally-cached secrets: If your IT team maintains local copies of OAuth tokens, LTI secrets, or API keys that touched Canvas during the exposure window (30 April to 7 May 2026), rotate them as well. These credentials may have been exposed if the attacker had access to Canvas configuration data.
Instructure has not provided schools with logs showing which Free-For-Teacher accounts accessed institutional tenants. You cannot definitively identify whether a compromised free account touched your environment, but you can audit recent activity for anomalies.
Review Canvas logs for: - Accounts with external email addresses (not your institutional domain) that accessed courses, assignments, or private messages - Login activity from unexpected geographic locations during the exposure window (30 April to 7 May 2026) - Administrative actions (course modifications, user enrollments, permission changes) by accounts without expected privileges
Canvas Admin > Settings > Logging provides access to some of this data, but granularity varies by Canvas subscription tier. If logs are insufficient, contact Instructure support to request targeted audit data for your tenant during the exposure window.
The exposed data — names, student IDs, email addresses, and private message content — enables targeted phishing campaigns that reference accurate personal details. A generic phishing email claiming “Canvas password reset required” is easy to spot. An email that quotes a private Canvas message, references a specific course, or includes the recipient’s student ID establishes false credibility.
Alert students, faculty, and staff immediately: - Phishing emails may appear to come from Canvas, your institution’s IT department, or course instructors - Messages may reference specific Canvas courses, private conversations, or student records that match the recipient’s actual data - Legitimate password resets, grade notifications, and course updates will come through the official Canvas portal — not through unsolicited emails with links
Train users to verify before clicking: - Hover over links to check destination URLs before clicking (legitimate Canvas links use your institution’s Canvas domain) - Verify requests through a separate channel (navigate directly to Canvas or contact IT) before providing credentials or personal information - Report suspicious emails to IT immediately, even if they appear legitimate
Monitor for Canvas-themed phishing campaigns: - Watch for increases in phishing reports referencing Canvas, course assignments, or grades - Check for newly-registered domains that spoof your institutional Canvas subdomain or Instructure branding - If your institution uses a phishing-reporting tool or email quarantine system, add filters for Canvas-related keywords during the elevated-risk period
TechCrunch reported that attackers defaced school login pages during the breach. If accurate, this indicates the attacker had write access to tenant configuration or UI customization settings.
Check your Canvas login page: - Navigate to your institution’s Canvas URL and visually inspect the login page for unexpected text, images, or branding changes - Compare against a known-good screenshot or archived version from before 30 April 2026 - Check Canvas Admin > Settings > Branding for unauthorized customization changes
Review tenant configuration: - Check Admin > Settings > Authentication for unexpected changes to SSO providers or login workflows - Review Admin > Settings > Account Settings for modified domain names, feature flags, or administrative contacts
If you find evidence of tampering, document it, take screenshots, and report it to Instructure support and law enforcement immediately.
Even after credential rotation and Free-For-Teacher program shutdown, the stolen data remains usable. Phishing campaigns may emerge weeks or months after the breach.
Sustained monitoring actions: - Continue elevated phishing awareness training for at least 90 days post-breach - Monitor dark web breach forums and disclosure sites for additional ShinyHunters Canvas data releases (Bitdefender MDR customers: see GravityZone Coverage below for automatic monitoring) - Watch for credential-stuffing attacks using exposed email addresses against other institutional systems - Review Canvas activity logs monthly for anomalous account behavior or unexpected data access
| Indicator Type | Data | Description |
| URL | hxxp:// 91[.]215[.] 85[.]103/ pay_or_leak / instructure _affected_s chools_list [.]txt |
ShinyHunters public listing of affected institutions (defanged — access only from sandboxed environment) |
| URL | hxxp[:]// shinypogk4j jniry5qi724 7tznop6mxdr dte2k6pdu5c yo43vdzmrwi d[.]onion/ |
ShinyHunters public data leak site (defanged – access only from sandboxed environment, must use Tor or similar browsers) |
| IP | 91[.]215[.] 85[.]103 |
ShinyHunters infrastructure hosting affected-schools list (defanged) |
Exercise caution: These indicators point to threat-actor-controlled infrastructure. Bitdefender MDR explicitly recommends sandboxed-browser or virtual-environment access only when reviewing attacker-hosted disclosure sites.
Bitdefender MDR’s Cyber Intelligence Fusion Cell (CIFC) provides continuous monitoring of dark web disclosure sites, extortion blogs, and breach forums for customer-related exposure. CIFC matches customer brand names, domains, and identifiers from the MDR customer questionnaire against new ShinyHunters disclosures and other threat-actor listings. Advisories have already been sent to affected MDR Plus customers, and any new events are alerted directly through the customer portal and security account managers if new exposures emerge.
For the Instructure Canvas breach, MDR customers whose institutions appear on ShinyHunters’ disclosure list have been notified with recommended actions. MDR Plus customers can submit requests-for-information through their security account manager for additional threat intelligence or hunting support related to Canvas-themed phishing or account-takeover attempts.
CIFC monitoring is continuous and extends beyond the initial breach disclosure. If ShinyHunters releases additional Canvas data or if other threat actors redistribute the stolen dataset, affected MDR customers will be alerted again. MDR monitoring continues for the duration of the ShinyHunters disclosure cycle and will alert customers if additional Canvas data is released.
Please note that Instructure has released public communications about this breach, and will likely continue to update their advisory as additional information is discovered. The FAQ page can be accessed here: https://www.instructure.com/incident_update