Instructure discloses cyber incident affecting Canvas services
Instructure, the U.S. education technology company behind the Canvas learning platform, disclosed that it recently suffered a cybersecurity incident involving a criminal threat actor and has engaged outside forensic experts to investigate the scope and impact. The company said it is still determining what systems or data were affected and has not yet confirmed whether service disruptions beginning May 1—including maintenance affecting Canvas Data 2, Canvas Beta, and tools dependent on API keys—are directly tied to the incident.
The disclosure comes as education technology providers face sustained targeting because they hold large volumes of student and teacher information. Reporting around the incident notes that Instructure had already disclosed a separate Salesforce-related breach in September 2025 linked to social engineering, while external leak-site style listings have also associated the company with ShinyHunters claims that remain unverified. The latest incident also follows other major school technology breaches, including PowerSchool and Infinite Campus, underscoring continued pressure on the sector.
Timeline
May 5, 2026
Colorado Boulder, Rutgers, and Tilburg acknowledge Canvas incident
Several universities, including the University of Colorado Boulder, Rutgers, and Tilburg University, issued statements acknowledging the broader Instructure/Canvas security incident or said they were still assessing whether their data was affected. This added newly disclosed institutions publicly responding to the breach's potential impact.
May 5, 2026
ShinyHunters shares sample Instructure data with TechCrunch
TechCrunch reported that ShinyHunters shared sample data allegedly stolen from Instructure, tied to two U.S. schools in Massachusetts and Tennessee, appearing to validate part of the gang’s breach claims. The broader victim-count claims remained unverified.
May 4, 2026
UMass Amherst issues Canvas security incident monitoring update
UMass Amherst Information Technology published an update saying it was monitoring the Instructure/Canvas security incident and providing Canvas-related status information. This represents a newly disclosed institution publicly responding to the breach's potential impact.
May 4, 2026
Wayzata Public Schools warns parents about Canvas breach impact
Wayzata Public Schools sent warning letters to parents about the Canvas/Instructure data breach, indicating the incident affected data tied to the district. This represents a newly disclosed affected institution responding directly to the breach.
May 3, 2026
Instructure confirms data exposure and details remediation steps
Instructure said the 2026 cyber incident exposed certain user data, including names, email addresses, student ID numbers, and user messages at affected institutions, while reporting no evidence that passwords, dates of birth, government identifiers, or financial data were involved. The company said it engaged third-party cybersecurity experts and law enforcement, deployed patches, increased monitoring, rotated application keys, and required customers to re-authorize API access.
May 1, 2026
Instructure discloses new cyber incident and starts forensic probe
Instructure disclosed that it recently experienced a cybersecurity incident caused by a criminal threat actor. The company said it engaged outside forensic experts, began investigating the scope and impact, and would share more information as the investigation progresses.
May 1, 2026
Instructure says some Canvas services entered maintenance
Beginning May 1, Instructure customers were told that services including Canvas Data 2 and Canvas Beta were under maintenance, and that tools relying on API keys might experience issues. The company did not confirm whether this maintenance was connected to the cyber incident.
Oct 3, 2025
ShinyHunters leak-site listing names Instructure as a victim
A ransomware/leak-site style listing attributed an Instructure incident to ShinyHunters and claimed broad compromise metrics, including compromised employees and users. The listing said the attack was discovered on October 3, 2025, though the claims were not independently verified in the reference material.
Sep 21, 2025
Instructure discloses Salesforce-related security incident
Instructure published an update about a separate security incident affecting its Salesforce environment that was tied to social engineering. Later reporting said ShinyHunters claimed responsibility for this 2025 breach.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Sources
5 more from sources like mashable.com, scworld, techrepublic com security, umass.edu and fox9.com
Related Stories
Infinite Campus says Salesforce account breach exposed school staff contact data
Infinite Campus, a major U.S. K-12 student information system provider, disclosed a security incident after a threat actor accessed an employee’s **Salesforce** account used for internal case management and ticketing and then attempted to extort the company. The company said the intrusion did **not** reach its student information system or customer databases, and that the data believed exposed was limited mainly to school staff names and contact details, much of it already publicly available. Threat actor **ShinyHunters** claimed responsibility, added Infinite Campus to its leak site, and threatened to publish allegedly stolen Salesforce records and internal corporate data if the company did not negotiate. Infinite Campus said it disabled the compromised account, began reviewing potentially affected Salesforce data for sensitive information that may have appeared in support tickets, and is notifying districts directly if further issues are identified. As a precaution, it also disabled some customer-facing services for organizations without IP restrictions while restoration work continued. The incident drew attention across the K-12 sector, with the North Carolina Department of Public Instruction saying it was in direct contact with the company and had not confirmed any impact to the state’s system, while Infinite Campus maintained that **no student data was breached**.
1 months ago
Ransomware and data-breach disclosures across education, critical infrastructure, and healthcare
Rome’s **La Sapienza University** shut down network systems as a precaution after a cyberattack caused widespread disruption and left its website offline; Italian media attributed the incident to a suspected ransomware operation linked to pro-Russian actor **Femwar02**, with reported tradecraft resembling **Bablock/Rorschach**-style fast encryption. Separately, Romania’s national oil pipeline operator **Conpet** reported a cyberattack that disrupted corporate IT and took down `www.conpet.ro` while leaving **OT/SCADA** and pipeline transport operations unaffected; **Qilin** claimed responsibility, alleging theft of nearly **1TB** of data and posting sample documents (including financial data and passport scans) to support extortion claims. In the U.S., government services contractor **Conduent** faced expanding breach impact from its January 2025 ransomware incident, with notifications indicating exposure potentially reaching **dozens of millions**; reported affected data includes **names, Social Security numbers, and medical/health insurance information**, with at least **15.4M** impacted in Texas and **10.5M** in Oregon per state disclosures. Additional healthcare-sector disclosures included a ransomware-linked intrusion at **Insightin Health** (unauthorized access in September 2025; **Medusa** claimed exfiltration of **378GB**) and a separate compromise at **Clinic Service Corporation** (August 2025 access window), while **Central Ozarks Medical Center** reported a criminal cyberattack affecting **11,818** individuals with exposure of PHI/PII (including SSNs and financial/insurance data). Other items in the set were not incident-specific: an **HHS-OIG** audit describing web application security weaknesses at a large hospital, and general guidance/education pieces on the value of medical records to attackers and **CISA** insider-threat guidance.
1 months ago
ShinyHunters Claims Carnival and Udemy Breaches in Extortion Campaign
ShinyHunters claimed responsibility for a major breach affecting Carnival Corporation, with data tied to Holland America Line’s **Mariner Society** loyalty program appearing online after an alleged extortion attempt failed. According to Have I Been Pwned, the leaked dataset contained **8.7 million records** and **7.5 million unique email addresses**, including names, dates of birth, genders, and loyalty program status details. Carnival acknowledged a security incident and said it had identified a phishing attack involving a single user account, while continuing to assess the scope of unauthorized access; the gang separately alleged it also stole terabytes of internal corporate data, a claim that had not been independently verified. The same group also posted a **"Pay or Leak"** notice claiming it had compromised Udemy and stolen more than **1.4 million user records** along with internal corporate data, giving the company a deadline before any public release. Udemy had not confirmed the incident at the time of reporting, leaving the claim unverified, but the allegation fits a broader ShinyHunters campaign targeting SaaS and education organizations through social engineering, credential theft, MFA bypass, and abuse of third-party access. The incidents underscore the group’s continued use of extortion-backed data theft to pressure victims and expose customer information.
Today