Cyber Incident Victim: Canvas
Date:
Apr 2026
Location:
United States of America
Summary
Canvas was targeted by the hacking group ShinyHunters, which claimed access to names, email addresses, student identification numbers and private messages from thousands of schools worldwide affecting hundreds of millions of users. The intrusion was first detected through suspicious activity linked to Free‑For‑Teacher accounts, prompting the platform to be taken offline multiple times to contain the breach and prevent further unauthorized changes. During the outage, many educational institutions experienced disruptions to coursework, exams and communications, with some temporarily disabling access while investigations continued. No evidence emerged that passwords, Social Security numbers or financial data were compromised, though the attackers threatened to leak the stolen information unless demands were met.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 29, 2026, Instructure discovered unauthorized activity on its Canvas learning management system and immediately revoked the attacker's access. The following day, additional suspicious access was detected, prompting further security measures. On May 2, the company's chief information security officer stated that the incident appeared to be contained after patching and rotating keys. By May 6, Instructure reported that no ongoing unauthorized activity was observed. However, on May 7, users reported seeing a ransom message from the hacking group ShinyHunters when attempting to log into Canvas, leading Instructure to take the platform offline again that day. Instructure confirmed that the unauthorized actor had exploited an issue related to its Free-For-Teacher accounts and, as a precaution, temporarily shut down those accounts. After implementing additional controls, Instructure restored Canvas access and announced on May 8 that the platform was fully back online and available for use. Throughout the incident, Instructure engaged outside forensic experts and notified law enforcement agencies including the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Agency.
The disruption affected thousands of educational institutions worldwide, with ShinyHunters claiming access to data from approximately 9,000 schools and about 275 million individuals, including names, email addresses, student identification numbers, and private messages sent through Canvas. No evidence was found that passwords, Social Security numbers, birth dates, or financial information had been compromised. In response to the outage, several universities canceled or rescheduled final exams; Penn State canceled Thursday night and Friday exams, Boise State canceled Friday's final exams, Mississippi State rescheduled Friday exams for Saturday, UT San Antonio postponed assignments and exams to a near future date, and James Madison University pushed Friday morning exams to Wednesday. K-12 districts such as Orange County Public Schools in Florida, Arlington Public Schools in Virginia, and San Diego Unified School District in California received notifications of potential breach and temporarily disabled Canvas access out of caution. Some institutions shifted to alternative communication tools like email, Microsoft Teams, and cloud‑sharing platforms, while others waived late penalties and delayed exams for students unable to access course materials. Throughout the incident, school officials warned students and faculty to watch for phishing messages and scams related to the breach.