Concise Cyber

Subscribe below for free to get these delivered straight to your inbox

Advertisements
Double Canvas Breach Confirmed as ShinyHunters Sets New Pay-or-Leak Deadline
Advertisements

Instructure, the company behind the Canvas learning platform, has confirmed two separate unauthorized intrusions affecting its online education system within a two-week period. The disclosure comes as the data-theft-and-extortion group ShinyHunters says it will publish stolen data unless affected institutions negotiate by the end of May 12.

The incident disrupted access for colleges, universities, and K-12 schools during a stressful stretch that included final exams and Advanced Placement testing. Instructure says Canvas is now back online, but the company has also acknowledged that some data was taken during the intrusions.

What Instructure says was affected

According to Instructure’s Monday disclosure, the company detected unauthorized activity in Canvas on April 29 and later identified additional unauthorized activity tied to the same incident on May 7. The company said the intrusions involved its Free-for-Teacher learning system, which was exploited through a security vulnerability. The root cause beyond that vulnerability has not been confirmed in the source material.

Instructure said the stolen data included:

  • Usernames
  • Email addresses
  • Course names
  • Enrollment information
  • Messages

The company also said that core learning data was not compromised. That category included course content, submissions, and credentials. Instructure emphasized that it is still validating its findings and was careful to distinguish what it believes was affected from what was not.

ShinyHunters’ leak threat and claims

ShinyHunters said it stole 3.65 TB of data and claimed the material includes about 275 million records tied to around 8,800 schools worldwide. The group also claimed the records relate to students, teachers, and staff at nearly 9,000 schools, and it said some of the institutions were major universities including Harvard, Columbia, Rutgers, Georgetown, and Stanford.

The group reportedly defaced about 330 Canvas school login portals using the same Free-for-Teacher vulnerability. After moving the deadline several times, ShinyHunters set a final pay-or-leak cutoff for the end of May 12, telling individual institutions to contact it directly to negotiate payment or face publication of the dataset.

How Instructure responded

Instructure said it took several defensive steps after the intrusion was discovered. It temporarily shut down Free-for-Teacher accounts, revoked privileged credentials and access tokens tied to compromised systems, rotated internal keys, restricted token creation pathways, and added monitoring across all platforms.

The company also said it hired CrowdStrike to assist with forensic analysis and incident response. Instructure notified the FBI and the US Cybersecurity and Infrastructure Security Agency, according to the source material.

  • Temporary shutdown of Free-for-Teacher accounts
  • Revocation of privileged credentials and access tokens
  • Rotation of internal keys
  • Restriction of token creation pathways
  • Additional monitoring across all platforms
  • Engagement of CrowdStrike for incident response

A second breach in less than a year

This is the second breach Instructure has disclosed in less than a year. ShinyHunters claimed a prior breach of Instructure’s Salesforce environment in September 2025. Instructure did not name the group in its latest disclosure, but it stated that the Salesforce-related incident and the Canvas incident were distinct events involving different systems and circumstances.

Later updates in the company’s incident report said all Canvas environments were available and that Instructure had reached an agreement with the unauthorized actor involved. The company said it received digital confirmation of data destruction, or shred logs, and stated that no Instructure customers would be extorted as a result of the incident. It also said the agreement covered all impacted customers and that there was no need for individual customers to try to engage with the unauthorized actor.

The language in the update strongly suggests Instructure paid a ransom, though the company did not explicitly use that phrase in the quoted material. The company said it believed taking every step within its control was important to give customers additional peace of mind.

What happens next

The key unresolved issue is whether ShinyHunters will honor its latest deadline and whether any stolen data will be published. For now, the confirmed facts are that Instructure suffered two unauthorized intrusions, some data was taken, Canvas was temporarily disrupted, and the company says the service is fully back online.

The incident now stands as a major example of how quickly a vulnerability in a learning system can affect schools at scale. With the leak deadline set and the investigation still underway, institutions connected to Canvas are waiting to see whether the group makes good on its threat.

For the moment, the root cause has not been fully established beyond the confirmed exploitation of the Free-for-Teacher vulnerability, and the public details remain limited to what Instructure and ShinyHunters have disclosed.

All articles are written here with the help of AI on the basis of openly available information which cannot be independently verified. We do strive to quote the relevant sources.The intent is only to summarise what is already reported in public forum in our own wordswith no intention to plagarise or copy other person’s work.The publisher has no intent to defame or cause offence to anyone, any person or any organisation at any moment.The publisher assumes no responsibility for any damage or loss caused by making decisions on the basis of whatever is published on cyberconcise.com.You’re advised to do your own checks and balances before making any decision, and owners and publishers at cyberconcise.com cannot be held accountable for its resulting ramifications.If you have any objections, concerns or point out anything factually incorrect, please reach out using the form on https://concisecyber.com/about/

Discover more from Concise Cyber

Subscribe now to keep reading and get access to the full archive.

Continue reading