Instructure discloses cyber incident affecting Canvas services
Instructure, the U.S. education technology company behind the Canvas learning platform, disclosed that it recently suffered a cybersecurity incident involving a criminal threat actor and has engaged outside forensic experts to investigate the scope and impact. The company said it is still determining what systems or data were affected and has not yet confirmed whether service disruptions beginning May 1—including maintenance affecting Canvas Data 2, Canvas Beta, and tools dependent on API keys—are directly tied to the incident.
The disclosure comes as education technology providers face sustained targeting because they hold large volumes of student and teacher information. Reporting around the incident notes that Instructure had already disclosed a separate Salesforce-related breach in September 2025 linked to social engineering, while external leak-site style listings have also associated the company with ShinyHunters claims that remain unverified. The latest incident also follows other major school technology breaches, including PowerSchool and Infinite Campus, underscoring continued pressure on the sector.
How this story unfolded
40 events from the earliest known activity through the most recent confirmed update.
Instructure discloses Salesforce-related security incident
Instructure published an update about a separate security incident affecting its Salesforce environment that was tied to social engineering. Later reporting said ShinyHunters claimed responsibility for this 2025 breach.
ShinyHunters leak-site listing names Instructure as a victim
A ransomware/leak-site style listing attributed an Instructure incident to ShinyHunters and claimed broad compromise metrics, including compromised employees and users. The listing said the attack was discovered on October 3, 2025, though the claims were not independently verified in the reference material.
Instructure says it discovered the breach on April 29
Instructure said the breach underlying the Canvas incident was discovered on April 29, 2026, before its public disclosure. The company later linked the May 7 defacement disruption to this earlier compromise.
Instructure says some Canvas services entered maintenance
Beginning May 1, Instructure customers were told that services including Canvas Data 2 and Canvas Beta were under maintenance, and that tools relying on API keys might experience issues. The company did not confirm whether this maintenance was connected to the cyber incident.
Instructure discloses new cyber incident and starts forensic probe
Instructure disclosed that it recently experienced a cybersecurity incident caused by a criminal threat actor. The company said it engaged outside forensic experts, began investigating the scope and impact, and would share more information as the investigation progresses.
Instructure confirms data exposure and details remediation steps
Instructure said the 2026 cyber incident exposed certain user data, including names, email addresses, student ID numbers, and user messages at affected institutions, while reporting no evidence that passwords, dates of birth, government identifiers, or financial data were involved. The company said it engaged third-party cybersecurity experts and law enforcement, deployed patches, increased monitoring, rotated application keys, and required customers to re-authorize API access.
Wayzata Public Schools warns parents about Canvas breach impact
Wayzata Public Schools sent warning letters to parents about the Canvas/Instructure data breach, indicating the incident affected data tied to the district. This represents a newly disclosed affected institution responding directly to the breach.
UMass Amherst issues Canvas security incident monitoring update
UMass Amherst Information Technology published an update saying it was monitoring the Instructure/Canvas security incident and providing Canvas-related status information. This represents a newly disclosed institution publicly responding to the breach's potential impact.
UT Austin posts notice on Canvas vendor security incident
The University of Texas at Austin published a notice about the May 2026 Canvas vendor security incident, indicating it was publicly responding to the Instructure breach and assessing or communicating potential impact to its community. This adds UT Austin as another newly disclosed institution tied to the incident.
ShinyHunters shares sample Instructure data with TechCrunch
TechCrunch reported that ShinyHunters shared sample data allegedly stolen from Instructure, tied to two U.S. schools in Massachusetts and Tennessee, appearing to validate part of the gang’s breach claims. The broader victim-count claims remained unverified.
Colorado Boulder, Rutgers, and Tilburg acknowledge Canvas incident
Several universities, including the University of Colorado Boulder, Rutgers, and Tilburg University, issued statements acknowledging the broader Instructure/Canvas security incident or said they were still assessing whether their data was affected. This added newly disclosed institutions publicly responding to the breach's potential impact.
St. Petersburg College posts notice on Instructure cyber incident
St. Petersburg College published a notice about the Instructure cybersecurity incident, indicating the college was monitoring or responding to the Canvas-related breach and its potential impact on the institution. This adds St. Petersburg College as another publicly disclosed affected institution tied to the incident.
Baylor University says Instructure breach affects its community
Baylor University Information Technology Services published a notice stating that the Instructure data breach impacts U.S. universities, indicating Baylor was among the institutions affected or assessing impact from the Canvas incident. This adds Baylor as a newly disclosed institution publicly responding to the breach.
University of Pennsylvania says Canvas breach affected over 300,000 users
The Daily Pennsylvanian reported that the University of Pennsylvania said more than 300,000 Penn users were affected by the Instructure/Canvas hack claimed by ShinyHunters. This adds Penn as a newly disclosed impacted institution and provides a specific user-impact estimate tied to the broader breach.
University of California posts UC-wide notice on Canvas breach
UCnet published a notice about the nationwide security breach involving Canvas, indicating the University of California system was publicly responding to the Instructure incident and assessing or communicating potential impact to its community. This adds the University of California as another newly disclosed institution tied to the breach.
RMIT and UTS extend deadlines after Canvas disruption
The Guardian reported that Australia's RMIT University and the University of Technology Sydney were affected by the Instructure/Canvas incident and extended assignment deadlines in response. This adds two newly disclosed institutions with concrete academic impact from the broader breach and outage.
ShinyHunters defaces Canvas login pages at three schools
TechCrunch observed defaced Canvas login pages at three schools displaying a message attributed to ShinyHunters, threatening to publish stolen data on May 12 unless Instructure negotiated a settlement. The defacement appeared linked to an injected HTML file, indicating a new extortion escalation beyond the previously disclosed data breach.
Canvas defacement campaign expands to about 330 institutions
BleepingComputer reported that ShinyHunters' extortion-related defacement spread to roughly 330 colleges and universities, appearing on Canvas login pages and in the Canvas app with a ransom deadline of May 12, 2026. The report also said Instructure took Canvas offline in response, marking a significant escalation in scope and operational impact.
Universities report widespread Canvas outage amid cyber incident
On 2026-05-07, universities across the U.S. reported outages affecting the Canvas learning platform during the ongoing Instructure cyber incident. Institutions including Stanford, Columbia, Princeton, and Boston College said they were experiencing disruption or warned students to watch for suspicious messages.
University of Utah responds to Canvas data breach
The University of Utah published a notice saying its UIT team was responding to the Instructure/Canvas security incident and communicating guidance or impact information to its community. This adds the University of Utah as another publicly disclosed institution tied to the broader breach.
Pitt County Schools posts update on Canvas data breach
Pitt County Schools published an update regarding the Instructure/Canvas data breach, indicating the district was publicly responding to the incident and communicating potential impact or guidance to its community. This adds Pitt County Schools as another newly disclosed affected institution tied to the broader breach.
UBC and SFU acknowledge Canvas breach impact
The University of British Columbia and Simon Fraser University said the Instructure/Canvas cyber breach could affect their communities, with SFU warning that exposed data may include names, email addresses, student ID numbers, and user messages. UBC said it learned of the incident late Tuesday and advised users to log out of Canvas, change passwords if they had logged in that afternoon, and remain alert for phishing.
Harvard, Columbia, and Georgetown warn students about Canvas breach
WIRED reported that Harvard, Columbia, and Georgetown warned students about the Instructure/Canvas security incident and its potential impact. This adds three newly disclosed institutions publicly responding to the breach, while Rutgers had already been identified in earlier reporting.
University of Virginia posts notice on Canvas security incident
The University of Virginia published a notice about the May 2026 Instructure/Canvas cybersecurity incident, indicating it was publicly responding to the vendor breach and communicating potential impact or guidance to its community. This adds UVA as another newly disclosed institution tied to the incident.
Duke, UCLA, and Nebraska reported among Canvas-affected institutions
Reuters, citing student newspaper reporting, said Duke University, UCLA, and the University of Nebraska were among institutions reporting impact from the Instructure/Canvas breach and related disruption. This adds three newly disclosed universities to the list of schools publicly tied to the incident.
Instructure says Canvas mostly restored as schools report ongoing disruption
By late 2026-05-08, Instructure said Canvas had become available for most users following the widespread cyberattack, though some institutions continued reporting outages on Friday. The disruption affected schools internationally, including exam cancellations at Penn State University and service warnings from the University of Sydney.
Queensland's QLearn reports disruption from Canvas cyber incident
ABC Australia reported that Queensland's QLearn platform, used across universities, TAFEs, and public schools, was disrupted as part of the broader Instructure/Canvas cyber incident. Officials and education providers said investigations were ongoing and warned users about phishing and scam risks tied to exposed contact information.
Idaho State, Toronto, and Chicago report Canvas disruption
BBC reported that Idaho State University, the University of Toronto, and the University of Chicago publicly confirmed operational disruption from the Instructure/Canvas cyber incident. The report said the outage affected coursework and examinations as institutions warned students about prolonged access issues or took precautionary steps such as logging out or disabling access.
University of Illinois and UMass Dartmouth alter exams after Canvas disruption
The University of Illinois and the University of Massachusetts Dartmouth reported that the Canvas cyberattack disrupted coursework during finals, forcing postponements, rescheduling, or deadline extensions for exams and assignments. This adds two newly disclosed institutions with concrete academic impact from the broader Instructure incident.
Instructure links May 7 attack to Free-For-Teacher vulnerability
Instructure said attackers breached its infrastructure a second time through an unspecified vulnerability in the Free-For-Teacher version of Canvas, leading to the May 7 defacement and disruption. The company said it temporarily took Canvas offline, shut down Free-For-Teacher accounts during containment, and had found no evidence of persistence, credential theft, or broader data theft from that disruption.
University of Memphis posts notice on Canvas security incident
The University of Memphis published a notice about the May 2026 Instructure/Canvas security incident, indicating it was publicly responding to the vendor breach and communicating potential impact or guidance to its community. This adds the University of Memphis as another newly disclosed institution tied to the broader incident.
Proposed class action lawsuit emerges over Canvas data breach
The reference says the 2026 Canvas data breach prompted a proposed class action lawsuit in the United States. This marks a new legal escalation beyond the previously documented institutional responses, extortion activity, and congressional scrutiny.
Birmingham, Oxford, Edinburgh, and Mississippi State report Canvas disruption
IT Pro reported that the Universities of Birmingham, Oxford, Edinburgh, and Mississippi State University were among institutions dealing with disruption from the Instructure/Canvas cyberattack during the exam period. This adds four newly disclosed institutions publicly tied to the broader incident across the UK and U.S.
FBI acknowledges Canvas breach as House committee opens inquiry
U.S. authorities publicly engaged with the Instructure/Canvas incident, with the FBI saying it was aware of the compromise and the House Homeland Security Committee opening an inquiry. The development marked a federal response to the breach and disruption affecting educational institutions.
ShinyHunters says its shinyhunte.rs domain was suspended
ShinyHunters claimed on May 11 that its clearnet domain, shinyhunte.rs, had been suspended and was no longer under the group's control, warning users not to trust it. The suspension prompted speculation about possible law enforcement action, although no official seizure was confirmed in the reference.
Report details XSS flaws used to hijack Canvas admin sessions
Reporting said the attackers exploited multiple cross-site scripting vulnerabilities in Canvas user-generated content features to hijack authenticated administrator sessions and carry out privileged actions. The technical details provided new insight into how the Free-for-Teacher compromise and subsequent May 7 defacement were executed.
ShinyHunters resets Canvas leak deadline to May 12
In reporting published May 12, ShinyHunters said schools affected by the Instructure/Canvas breach had until May 12, 2026 to negotiate directly before stolen data would be leaked. This updated the gang's extortion posture after the earlier defacement campaign had already threatened publication on the same date.
Instructure says it paid extortion demand to prevent Canvas data leak
Instructure disclosed that it reached an agreement with the extortion group tied to the Canvas breach, paid to stop publication of the stolen data, received the data back, and obtained digital confirmation that it was destroyed. The company also said affected customers would not face separate extortion attempts under the agreement.
House lawmakers demand Instructure testify on Canvas breaches
U.S. House Homeland Security Committee lawmakers pressed Instructure to testify and answer questions about the two Canvas-related cyberattacks, including how the same vulnerability was allegedly exploited twice, what data was taken, how schools were notified, and whether the company coordinated adequately with CISA. The development marked an escalation from the committee's earlier inquiry into active congressional scrutiny of Instructure's incident response.
Senate HELP Committee joins congressional scrutiny of Instructure
The Senate Committee on Health, Education, Labor, and Pensions sent a letter to Instructure CEO Steve Daly seeking answers about the repeated Canvas attacks, including whether a ransom was paid and whether the incidents were linked to the September 2025 Salesforce compromise. This expanded congressional scrutiny beyond the House Homeland Security Committee's earlier inquiry.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
50 references tracked. Mallory keeps watching after this page renders.
Security Incident Update & FAQs | Instructure
instructure.com
Open sourceInstructure cyberattack reignites ransom payment debate | TechTarget
techtarget.com
Open sourceCongress Puts Heat on Instructure After Canvas Outage
darkreading.com
Open sourceSecurity pros doubt Canvas attackers really deleted stolen student data
theregister.com
Open sourceInstructure Reaches Deal with ShinyHunters to Prevent Canvas Data Leak
hackread.com
Open sourceHouse committee chair calls on Instructure to testify in Canvas hack | news | SC Media
scworld.com
Open sourceShinyHunters claims domain suspension after Canvas LMS attacks | brief | SC Media
scworld.com
Open sourceInstructure reaches agreement with hackers after Canvas data breach | brief | SC Media
scworld.com
Open sourceInstructure chose to a pay ransom following the Canvas cyber attack - research shows more than half of security leaders would follow suit | IT Pro
itpro.com
Open sourceInstructure settles with hackers following massive student data theft
securityaffairs.com
Open sourceInstructure Pays Ransom Following Canvas Cyberattack - TechNadu
technadu.com
Open sourceUS lawmakers demand answers from Instructure after Canvas data breaches | TechCrunch
techcrunch.com
Open sourceInstructure Pays ShinyHunters Ransom to Little Likely Return
bankinfosecurity.com
Open sourceCanvas owner reaches ‘agreement’ with threat actors after data breach | Cybersecurity Dive
cybersecuritydive.com
Open sourceteiss - News - Canvas' parent company reaches agreement with hacking group behind breach
teiss.co.uk
Open sourceDeal Reached With Hackers to Delete Data Stolen From the Canvas Educational Platform
edweek.org
Open sourceWhat to know after the Canvas cyberattack | Consumer Advice
consumer.ftc.gov
Open source‘You deserved more consistent communication from us, and we didn’t deliver’: Instructure CEO issues apology over Canvas cyber attack disruption | IT Pro
itpro.com
Open sourceInstructure Reaches Ransom Agreement with ShinyHunters to Stop 3.65TB Canvas Leak
thehackernews.com
Open sourceInstructure took a risky approach to recover stolen Canvas data - Help Net Security
helpnetsecurity.com
Open sourceInstructure pays ransom after Canvas incident as Congress announces investigation | The Record from Recorded Future News
therecord.media
Open sourceTechnology Security Alert - Ongoing Cybersecurity Incident Involving the Canvas Learning Management System | Knowledge Center
fsapartners.ed.gov
Open sourceInstructure reaches 'agreement' with ShinyHunters to stop data leak
bleepingcomputer.com
Open sourceCanvas Is Fully Back Online After Parent Company Says It Reached Deal With Hackers
chronicle.com
Open sourceDouble Canvas intrusion confirmed as ShinyHunters resets leak deadline
theregister.com
Open sourceCanvas' parent company strikes deal with hackers to delete data stolen from educational platform - CBS News
cbsnews.com
Open sourceInstructure strikes deal with hackers who breached it twice | TechCrunch
techcrunch.com
Open sourceCanvas breach spotlights cybercriminal appetite for student data - Nextgov/FCW
nextgov.com
Open sourceUniversities worldwide still struggling with fallout from Canvas cyber attack | IT Pro
itpro.com
Open sourceInstructure confirms hackers used Canvas flaw to deface portals
bleepingcomputer.com
Open sourceInstructure Pays Ransom to Canvas Hackers
insidehighered.com
Open sourceShinyHunters Launches Second Major Attack on Instructure Canvas LMS via Free-For-Teacher Accounts: May 2026 Breach Analysis and Mitigation - Rescana
rescana.com
Open sourceChaos erupts as cyberattack disrupts learning platform Canvas amid finals - Ars Technica
arstechnica.com
Open sourceCanvas Restored After Hack, Breach Traced to 'Free-For-Teacher' Accounts | PCMag
pcmag.com
Open sourceShinyHunters escalates Canvas attacks with school login defacements | Malwarebytes
malwarebytes.com
Open sourceCyberattack on Canvas system causes chaos for students at thousands of schools | AP News
apnews.com
Open sourceteiss - News - Education tool Canvas hacked, multiple US college newspapers report
teiss.co.uk
Open sourceInternational cyber attack disrupts swath of universities and schools
bbc.co.uk
Open sourceIncident Change Log for May 2026 - Instructure Community
community.instructure.com
Open sourceTens of thousands of students and teachers unable to access QLearn following cybersecurity breach - ABC News
abc.net.au
Open sourceHackers ate my homework: Educational SaaS Canvas down after cyberattack
theregister.com
Open sourceThe Canvas/Instructure Breach: What Happened and What It Teaches | CyberLeveling
cyberleveling.com
Open sourceInstructure, Canvas Data Breach Lawsuit Investigation: SSH
stuevesiegel.com
Open sourceShinyHunters Claims Second Attack Against Instructure
darkreading.com
Open sourceEducation Sector in the Crosshairs: ShinyHunters' Extortion Campaign Against Instructure
halcyon.ai
Open sourceThe Canvas Hack Is a New Kind of Ransomware Debacle | WIRED
wired.com
Open sourceCanvas E-Learning Platform Breached by Cybercriminals
bankinfosecurity.com
Open sourceShinyHunters breached Canvas/Instructure - 275M student records stolen from 8,809 schools, ransom deadline May 12 : r/netsec
reddit.com
Open sourceInstructure Cybersecurity Incident - May 2026 | UVACanvas
canvas.virginia.edu
Open source2026 Canvas data breach - Wikipedia
en.wikipedia.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Infinite Campus says Salesforce account breach exposed school staff contact data
Infinite Campus, a major U.S. K-12 student information system provider, disclosed a security incident after a threat actor accessed an employee’s **Salesforce** account used for internal case management and ticketing and then attempted to extort the company. The company said the intrusion did **not** reach its student information system or customer databases, and that the data believed exposed was limited mainly to school staff names and contact details, much of it already publicly available. Threat actor **ShinyHunters** claimed responsibility, added Infinite Campus to its leak site, and threatened to publish allegedly stolen Salesforce records and internal corporate data if the company did not negotiate. Infinite Campus said it disabled the compromised account, began reviewing potentially affected Salesforce data for sensitive information that may have appeared in support tickets, and is notifying districts directly if further issues are identified. As a precaution, it also disabled some customer-facing services for organizations without IP restrictions while restoration work continued. The incident drew attention across the K-12 sector, with the North Carolina Department of Public Instruction saying it was in direct contact with the company and had not confirmed any impact to the state’s system, while Infinite Campus maintained that **no student data was breached**.
Mar 28, 2026
Ransomware and data-breach disclosures across education, critical infrastructure, and healthcare
Rome’s **La Sapienza University** shut down network systems as a precaution after a cyberattack caused widespread disruption and left its website offline; Italian media attributed the incident to a suspected ransomware operation linked to pro-Russian actor **Femwar02**, with reported tradecraft resembling **Bablock/Rorschach**-style fast encryption. Separately, Romania’s national oil pipeline operator **Conpet** reported a cyberattack that disrupted corporate IT and took down `www.conpet.ro` while leaving **OT/SCADA** and pipeline transport operations unaffected; **Qilin** claimed responsibility, alleging theft of nearly **1TB** of data and posting sample documents (including financial data and passport scans) to support extortion claims. In the U.S., government services contractor **Conduent** faced expanding breach impact from its January 2025 ransomware incident, with notifications indicating exposure potentially reaching **dozens of millions**; reported affected data includes **names, Social Security numbers, and medical/health insurance information**, with at least **15.4M** impacted in Texas and **10.5M** in Oregon per state disclosures. Additional healthcare-sector disclosures included a ransomware-linked intrusion at **Insightin Health** (unauthorized access in September 2025; **Medusa** claimed exfiltration of **378GB**) and a separate compromise at **Clinic Service Corporation** (August 2025 access window), while **Central Ozarks Medical Center** reported a criminal cyberattack affecting **11,818** individuals with exposure of PHI/PII (including SSNs and financial/insurance data). Other items in the set were not incident-specific: an **HHS-OIG** audit describing web application security weaknesses at a large hospital, and general guidance/education pieces on the value of medical records to attackers and **CISA** insider-threat guidance.
Mar 21, 2026
ShinyHunters Claims Carnival and Udemy Breaches in Extortion Campaign
ShinyHunters claimed responsibility for a major breach affecting Carnival Corporation, with data tied to Holland America Line’s **Mariner Society** loyalty program appearing online after an alleged extortion attempt failed. According to Have I Been Pwned, the leaked dataset contained **8.7 million records** and **7.5 million unique email addresses**, including names, dates of birth, genders, and loyalty program status details. Carnival acknowledged a security incident and said it had identified a phishing attack involving a single user account, while continuing to assess the scope of unauthorized access; the gang separately alleged it also stole terabytes of internal corporate data, a claim that had not been independently verified. The same group also posted a **"Pay or Leak"** notice claiming it had compromised Udemy and stolen more than **1.4 million user records** along with internal corporate data, giving the company a deadline before any public release. Udemy had not confirmed the incident at the time of reporting, leaving the claim unverified, but the allegation fits a broader ShinyHunters campaign targeting SaaS and education organizations through social engineering, credential theft, MFA bypass, and abuse of third-party access. The incidents underscore the group’s continued use of extortion-backed data theft to pressure victims and expose customer information.
May 6, 2026