Technical Advisory: Breach of Instructure Canvas LMS
In early May 2026, Instructure confirmed a data breach of its Canvas learning platform caused by the threat actor ShinyHunters exploiting the Free-For-Teacher account program. The breach exposed personal information including names, email addresses, student IDs, and private messages of approximately 275 million users across 9,000 schools worldwide. The exposure window lasted from April 30 to May 7, 2026. In response, Instructure permanently shut down the Free-For-Teacher program, rotated API keys and privileged credentials, and engaged forensic investigators. The stolen data enables targeted phishing campaigns against students and faculty, and attackers may have had write access sufficient to deface login pages at multiple institutions. No official patch or fix is indicated, but remediation actions have been taken by Instructure. The severity is assessed as medium based on the impact described.
AI Analysis
Technical Summary
The Canvas learning platform by Instructure suffered a breach in early May 2026 when the threat actor ShinyHunters exploited the Free-For-Teacher account program. This exploitation led to unauthorized access and exfiltration of 3.6 TB of data, including sensitive user information such as names, email addresses, student IDs, and private messages. The breach affected approximately 275 million users across 9,000 educational institutions globally, including those in the US, Australia, and the EU. The exposure window was from April 30 to May 7, 2026. Instructure responded by permanently disabling the Free-For-Teacher program, rotating API keys and privileged credentials, and initiating forensic investigations. The stolen data facilitates personalized phishing attacks and potentially allows attackers to deface login pages due to possible write access. There is no indication of a formal patch, but remediation efforts have been implemented by the vendor.
Potential Impact
The breach exposed sensitive personal information of a very large user base, including students and faculty, across thousands of educational institutions worldwide. This data exposure enables attackers to conduct highly targeted phishing campaigns and social engineering attacks. Additionally, attackers may have had sufficient access to alter login pages at multiple institutions, increasing the risk of further compromise or credential theft. The breach represents a significant privacy and security risk to affected individuals and organizations.
Mitigation Recommendations
Instructure has permanently shut down the Free-For-Teacher program and rotated API keys and privileged credentials to mitigate ongoing risk. Forensic investigations are ongoing. Organizations using Canvas should review their security posture in light of this breach and monitor for phishing attempts leveraging stolen data. Patch status is not applicable as this is a compromise of a program and platform rather than a software vulnerability with a patch. Users and administrators should follow vendor guidance and security best practices for credential and account protection.
Indicators of Compromise
- ip: 91.215.85.103
- url: http://91.215.85.103/pay_or_leak/instructure_affected_schools_list.txt
Technical Advisory: Breach of Instructure Canvas LMS
Description
In early May 2026, Instructure confirmed a data breach of its Canvas learning platform caused by the threat actor ShinyHunters exploiting the Free-For-Teacher account program. The breach exposed personal information including names, email addresses, student IDs, and private messages of approximately 275 million users across 9,000 schools worldwide. The exposure window lasted from April 30 to May 7, 2026. In response, Instructure permanently shut down the Free-For-Teacher program, rotated API keys and privileged credentials, and engaged forensic investigators. The stolen data enables targeted phishing campaigns against students and faculty, and attackers may have had write access sufficient to deface login pages at multiple institutions. No official patch or fix is indicated, but remediation actions have been taken by Instructure. The severity is assessed as medium based on the impact described.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Canvas learning platform by Instructure suffered a breach in early May 2026 when the threat actor ShinyHunters exploited the Free-For-Teacher account program. This exploitation led to unauthorized access and exfiltration of 3.6 TB of data, including sensitive user information such as names, email addresses, student IDs, and private messages. The breach affected approximately 275 million users across 9,000 educational institutions globally, including those in the US, Australia, and the EU. The exposure window was from April 30 to May 7, 2026. Instructure responded by permanently disabling the Free-For-Teacher program, rotating API keys and privileged credentials, and initiating forensic investigations. The stolen data facilitates personalized phishing attacks and potentially allows attackers to deface login pages due to possible write access. There is no indication of a formal patch, but remediation efforts have been implemented by the vendor.
Potential Impact
The breach exposed sensitive personal information of a very large user base, including students and faculty, across thousands of educational institutions worldwide. This data exposure enables attackers to conduct highly targeted phishing campaigns and social engineering attacks. Additionally, attackers may have had sufficient access to alter login pages at multiple institutions, increasing the risk of further compromise or credential theft. The breach represents a significant privacy and security risk to affected individuals and organizations.
Mitigation Recommendations
Instructure has permanently shut down the Free-For-Teacher program and rotated API keys and privileged credentials to mitigate ongoing risk. Forensic investigations are ongoing. Organizations using Canvas should review their security posture in light of this breach and monitor for phishing attempts leveraging stolen data. Patch status is not applicable as this is a compromise of a program and platform rather than a software vulnerability with a patch. Users and administrators should follow vendor guidance and security best practices for credential and account protection.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://businessinsights.bitdefender.com/technical-advisory-shinyhunters-breach-instructure-canvas-lms"]
- Adversary
- ShinyHunters
- Pulse Id
- 69ff1751e4c61c728c808734
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip91.215.85.103 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://91.215.85.103/pay_or_leak/instructure_affected_schools_list.txt | — |
Threat ID: 6a01aa1fcbff5d8610f2b57c
Added to database: 5/11/2026, 10:06:23 AM
Last enriched: 5/11/2026, 10:22:55 AM
Last updated: 5/11/2026, 4:45:15 PM
Views: 70
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.