Days after confirming a major data breach, Instructure is now facing a second blow.

Earlier this week, Instructure confirmed a major data breach affecting its cloud‑hosted Canvas environment, with the ShinyHunters group claiming it stole hundreds of millions of records tied to thousands of schools and universities worldwide. As discussed in our earlier blog, that incident involved data such as student and staff records, enrollment details, and private messages allegedly accessed through Canvas export features and APIs. At that stage, the focus was on large‑scale data theft and the long‑term risks for affected students and families, including identity fraud and highly targeted phishing.

According to new reporting, ShinyHunters has now hit Instructure again, this time moving from quiet data theft to very visible extortion. Using another vulnerability in Instructure’s systems, the attackers were able to modify Canvas login portals for hundreds of educational institutions, defacing both web logins and the Canvas app with an on‑screen ransom message.

The message both claimed responsibility for the earlier breach and set a deadline of May 12 for Instructure and affected schools to contact the gang or risk the public release of stolen data.

This second wave matters for two reasons. First, it confirms that ShinyHunters still has meaningful access to Instructure’s environment, or at least to components that control the look and behavior of school login pages. Second, it marks a clear escalation in pressure tactics, from leaked claims and dark web posts to messages shown directly to students, parents, and staff trying to access their courses.

How to deal with this data breach

For students and families, the practical advice from our original blog still applies:

• Reset Canvas‑related passwords
• Enable multi‑factor authentication where possible
• Monitor financial and credit activity as children get older
• Stay wary of highly personalized phishing that references real schools, courses, or teachers

For schools and districts, this latest extortion campaign underlines the need to coordinate closely with Instructure, review single sign-on (SSO) integrations, and prepare clear communications so that any future defacements or data leaks do not catch staff and parents by surprise.

---

---

ShinyHunters hackers defaced the official Canvas LMS portal after breaching Instructure systems, disrupting university access worldwide.

ShinyHunters breached Instructure and Vimeo, exposing millions of student and user records through direct and supply chain attacks.

Instructure, maker of the Canvas learning platform, is investigating a cyber incident that exposed users’ personal data.

Instructure is a U.S.-based educational technology company best known for developing Canvas, one of the world’s most widely used learning management systems (LMS). 

The U.S. firm confirrmed a cybersecurity incident that exposed users’ personal information. The company is working with external cybersecurity experts and law enforcement to investigate the breach. Canvas is widely used by schools and universities to manage courses, assignments, and online learning, raising concerns about student and staff data security.

The company says the security incident appears to be contained while investigations continue. Instructure revoked privileged credentials and access tokens, deployed security patches, rotated some keys as a precaution, and increased monitoring across systems.

“Out of an abundance of caution, we rotated certain keys, even though there is no evidence they were misused – Implemented increased monitoring across all platforms.” reads the Incident Report. “While we continue actively investigating, thus far, indications are that the information involved consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users. At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved.”

So far, the exposed data likely includes user identifiers such as names, email addresses, student ID numbers, and some user messages. The company states that there is currently no evidence that passwords, dates of birth, government IDs, or financial data were affected.

The educational technology firm continues to monitor the situation and will notify institutions if new findings emerge, while updating its status page and working to strengthen system security.

Instructure did not share details about the attack, however, the ShinyHunters extortion group claimed responsibility for the attack and added the company to its Tor data leak site.

“Nearly 9,000 schools worldwide affected. 275 million individuals data ranging from students, teachers, and other staff containing PII. Several billions of private messages among students and teachers and students and other students involved, containing personal conversations and other PII. Your Salesforce instance was also breached and a lot more other data is involved. Pay or Leak.” the group wrote on its leak site. “This is a final warning to reach out by 6 May 2026 before we leak along with several annoying (digital) problems that’ll come your way. Make the right decision, don’t be the next headline.,” reads the data leak site.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

A Canvas cybersecurity incident has disrupted services at Instructure, the company behind the widely used Canvas platform, raising concerns among educational institutions over potential data exposure and service interruptions. The Canvas cybersecurity incident first came to light late Friday, when Instructure disclosed that it had detected unauthorized activity linked to a cyberattack. The company said it immediately launched an investigation with the support of external forensic experts to determine the scope and impact. By Saturday, Chief Information Security Officer Steve Proud confirmed that attackers had gained access to certain user data from some institutions. The exposed information includes names, email addresses, student identification numbers, and messages exchanged within the platform. Proud emphasized that the incident has been contained. He added that the response involved revoking privileged credentials and access tokens, deploying security patches, and increasing system-wide monitoring. However, some of these defensive measures led to temporary disruptions in services, particularly tools dependent on API keys.

Canvas Cybersecurity Incident: No Financial or Sensitive Identity Data Compromised

Despite the data breach, Instructure stated that there is currently no evidence that highly sensitive data such as passwords, financial information, government identifiers, or dates of birth were accessed. The company noted it will notify affected institutions if any new findings emerge. Canvas is used extensively by schools, universities, and enterprises to manage coursework, host educational content, and facilitate communication between students and educators. The scale of its usage has amplified concerns around the potential reach of the incident.

ShinyHunters Claims Large-Scale Data Theft

The cybercriminal group ShinyHunters claimed responsibility for the attack on Sunday, alleging it had stolen 3.6 terabytes of data affecting more than 9,000 schools. These claims have not been independently verified, and Instructure has not publicly responded to the group’s assertions. [caption id="attachment_111847" align="aligncenter" width="657"] Source: X[/caption] Such claims, if validated, could significantly expand the scope of the Canvas cybersecurity incident beyond initial disclosures. For now, the company maintains that its investigation is ongoing.

Ongoing Maintenance and Service Restoration Efforts

Instructure has been providing regular updates as it works to stabilize systems affected by the Canvas cybersecurity incident. As of May 5, Canvas Data 2 and Beta services have largely been restored, while the Test environment remains under maintenance. Earlier updates indicated that some users experienced disruptions due to reissued application keys, a precautionary measure taken to enhance security. Users were required to re-authorize access to certain tools, with updated keys identifiable by timestamps. The company also confirmed that it rotated certain keys even without evidence of misuse, reflecting a cautious approach to securing its infrastructure.

Continued Monitoring as Investigation Proceeds

The investigation into the Canvas cybersecurity incident remains active, with Instructure continuing to monitor its systems and assess potential risks. The company has reiterated its commitment to transparency and stated that updates will be shared as new information becomes available. For institutions relying on Canvas, the incident highlights the operational impact of cybersecurity threats on critical education platforms. While services are gradually being restored, the focus now shifts to understanding the full extent of the breach and preventing similar incidents in the future.

What happened Instructure, the company behind the Canvas learning management system, has disclosed that it recently suffered a cybersecurity incident perpetrated by a criminal threat actor and is now investigating its scope with the help of outside forensics experts. The disclosure was made by Chief Security Officer Steve Proud, who committed to transparency as the […]

The post Edtech Firm Instructure Discloses Cyber Incident, Probes Impact appeared first on CISO Whisperer.

The post Edtech Firm Instructure Discloses Cyber Incident, Probes Impact appeared first on Security Boulevard.