The infamous hacking group ShinyHunters has struck again, this time targeting Instructure, the company behind Canvas Learning Management System (LMS). In early May 2026, Instructure confirmed unauthorized activity on its Canvas platform after detecting suspicious access on April 29, 2026.
The breach exposed user names, email addresses, student ID numbers, and some private messages exchanged between Canvas users across thousands of schools worldwide.
This is not the first time ShinyHunters has gone after Instructure. The group previously targeted the company in September 2024, using social engineering tactics to compromise Salesforce business systems, though that attack did not touch any Canvas product data.
The May 2026 incident is a direct assault on the Canvas platform itself, making it far more serious for the millions of students and educators who depend on it daily. The two incidents also represent different attack classes against separate parts of Instructure infrastructure.
Researchers and threat intelligence analysts at Bitdefender documented ShinyHunters’ operating pattern as that of an extortion-as-a-service group, historically relying on voice phishing and social engineering to gain initial access, often impersonating IT support or trusted internal personnel.
The group launched a public extortion campaign on May 3, 2026, setting an original deadline of May 8, which was later extended to May 12, 2026. Instructure took Canvas, Canvas Beta, and Canvas Test offline for investigation on May 8, restored service the next day, and permanently shut down the Free-For-Teacher account program as part of its response.
Free-For-Teacher Program Was Exploited
ShinyHunters claims to have stolen 3.6 TB of data covering approximately 285 million users across 9,000 schools, though Instructure has not confirmed those figures. What the company officially confirmed includes names, email addresses, student IDs, and some private messages between Canvas users.
Instructure stated there is no evidence of exposure for passwords, dates of birth, government identifiers, or financial information. Named institutions affected include the University of Pennsylvania, Harvard, MIT, Oxford, Rutgers, the University of North Carolina system, multiple Missouri colleges, and educational organizations in Australia and the EU.
The Free-For-Teacher account program allowed educators to create Canvas accounts without institutional verification, giving them access to Canvas features for classroom use. These accounts ran on the same production Canvas infrastructure shared with paid institutional tenants, meaning they were logically separated but backed by the same systems.
ShinyHunters exploited this gap, and an attacker using a compromised free account had access patterns indistinguishable from a legitimate teacher piloting Canvas before their school adopted the platform.
Schools had no native way to identify which Free-For-Teacher accounts accessed their institutional Canvas tenant, whether through legitimate course integrations or malicious activity during the exposure window. The exposure window ran from April 30 to May 8, 2026, when Instructure shut down the program and rotated privileged credentials and API keys.
The attacker gained unauthorized access to production Canvas data and potentially achieved write access sufficient to deface login pages at multiple institutions. The stolen data, including student IDs, email addresses, and private message content, represents high-quality material for personalized phishing campaigns targeting students and faculty.
The Broader Phishing Risk Ahead
The risk does not end once a breach window closes. Stolen Canvas data is particularly dangerous because it enables highly convincing spear phishing campaigns that generic attacks simply cannot replicate.
An email referencing a specific Canvas course, quoting an actual private Canvas message, or including the recipient’s real student ID establishes false credibility that can fool even careful users.
Instructure has recommended that schools rotate API credentials, monitor for phishing emails appearing to come from Canvas, check login pages for unauthorized changes, and alert students, faculty, and staff immediately. Schools should also review Canvas logs for accounts with external email addresses that accessed courses or messages during the April 30 to May 8 exposure window.
Bitdefender MDR customers whose institutions appeared on the ShinyHunters disclosure list were notified directly with recommended actions. Monitoring continues for the full disclosure cycle in case additional Canvas data surfaces on threat actor channels.
Indicators of Compromise (IoCs):-
TypeIndicatorDescriptionURLhxxp://91[.]215[.]85[.]103/pay_or_leak/instructure_affected_schools_list[.]txtShinyHunters public listing of affected institutions (defanged; access only from sandboxed environment)URLhxxps://shinyp0g4jjniry5qi824btzn0p6mxhrdtxe2k6pdy4g3vdzqvr[.]onion/ShinyHunters public data leak site (defanged; must use Tor or similar browser)IP91[.]215[.]85[.]103ShinyHunters infrastructure hosting the affected schools list (defanged)
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post ShinyHunters Breaches Instructure Canvas LMS Through Free-For-Teacher Account Program appeared first on Cyber Security News.
