ShinyHunters conducted a breach of Instructure's Canvas learning management system in April 2026, affecting over 150 UK higher education institutions. The breach resulted in data exfiltration but downstream damage was reported to be limited. The incident came to wider attention in late June 2026 when UK institutions began disclosing impacts.
Instructure
Parent platform behind Canvas LMS, Mastery, and Elevate Data.
Recent threats
ShinyHunters breached Instructure's Canvas learning management system in May 2026, exposing student names, email addresses, student ID numbers, and private messages across approximately 9,000 schools worldwide. The attack exploited weak identity verification in the Free-For-Teacher freemium account tier, which shared production infrastructure with institutional paid tenants. This marks the second targeted attack by ShinyHunters against Instructure in eight months.
Instructure (parent company of Canvas LMS) disclosed a data breach discovered April 29, 2026, affecting approximately 9,000 schools globally and 275 million individuals. Threat actor ShinyHunters claimed responsibility; compromised data included names, email addresses, student IDs, and user messages. The breach resulted from a Salesforce misconfiguration. A second breach attempt occurred days later involving unauthorized web messages. Instructure paid ransom to threat actors.
A commentary published 16 May 2026 in the Davis Enterprise by CalMatters contributor Foaad Khosmood reports that a cyberattack disrupted Instructure's Canvas learning management system on Thursday 14 May 2026, with students unable to complete or submit coursework and at least one requesting an assignment postponement as a result. The piece frames the incident as exposing broader cybersecurity weaknesses at universities that rely on Canvas, which serves millions of students. No threat actor, attack vector, scope of affected institutions, or evidence of data exfiltration is disclosed in the available text, and the article body is paywalled beyond the lede. Instructure has not been quoted in the accessible portion, and no CVE or vendor advisory is referenced. Treat as an unconfirmed service-impacting incident pending primary-source confirmation.
- Commentary: Hack exposes cybersecurity flaws at universities | F(opens in a new tab)
- No Canvas data leaked in Instructure breach, College and Instruc(opens in a new tab)
- Instructure faces federal scrutiny over Canvas LMS breach - Tech(opens in a new tab)
- ShinyHunters Hit Instructure + Downs Canvas Learning Management (opens in a new tab)
The University of California has confirmed it is monitoring a nationwide security incident affecting Instructure's Canvas learning management system, used by thousands of educational institutions globally. According to UC, the Canvas login page displayed a suspicious message originating from a threat actor, indicating a likely compromise or unauthorized modification of Canvas-facing infrastructure. UC is advising community members to remain vigilant while the situation is assessed. Details on the scope, root cause, and any data exposure have not yet been disclosed by Instructure. Educational institutions relying on Canvas should monitor official Instructure communications and review authentication and account activity for anomalies.
Instructure, operator of the Canvas learning management system, disclosed a data breach on May 7, 2026 after the extortion group ShinyHunters claimed responsibility and asserted it had stolen 275 million records. Instructure confirmed that names, email addresses, student ID numbers, and private messages between users were accessed before containment, affecting institutions that include over 7,000 universities and K-12 districts and roughly 41% of North American higher education. Canvas was placed into maintenance mode and taken offline during the incident, disrupting U.S. colleges and K-12 schools in the middle of finals period. The platform was restored after security patches were applied, though several institutions advised users to delay logging back in pending further guidance. Investigation and notifications to affected institutions are ongoing.
- 'Security patches' put student learning system back online after(opens in a new tab)
- Canvas data breach rattles colleges during finals period : NPR(opens in a new tab)
- Rising gas prices strain Charlotte drivers amid Iran conflict | (opens in a new tab)
- Canvas cybersecurity breach impacting millions of students promp(opens in a new tab)
- Developing: ShinyHunters Hacks Instructure Again; Canvas Down (1(opens in a new tab)
- Canvas Online Learning Platform Disabled After Breach by Hackers(opens in a new tab)