The notorious hacking syndicate ShinyHunters has once again targeted Instructure, the creator of the Canvas Learning Management System (LMS). On April 29, 2026, suspicious activities were detected on the Canvas platform, prompting Instructure to confirm unauthorized access in early May. This breach compromised user names, email addresses, student IDs, and a number of private messages exchanged among users globally.
Previously, ShinyHunters attacked Instructure in September 2024, using social engineering to infiltrate Salesforce business systems. However, that attack did not impact Canvas products. In contrast, the May 2026 breach directly targeted Canvas, posing a significant threat to millions of students and educators who rely on it daily. These breaches highlight different attack strategies on Instructure’s infrastructure.
Details of the Breach
Bitdefender’s threat intelligence team has documented ShinyHunters as an extortion-as-a-service entity, known for using voice phishing and social engineering. Impersonating IT support, the group launched a public extortion campaign on May 3, 2026, which initially set a deadline of May 8, later extended to May 12. In response, Instructure took down Canvas services on May 8 for investigation, reinstating them the following day. The Free-For-Teacher account program was permanently discontinued as a countermeasure.
ShinyHunters claims to have stolen 3.6 TB of data affecting approximately 285 million users from 9,000 schools, though Instructure has not verified these figures. Confirmed compromised data includes names, emails, and student IDs, while passwords and financial information remain secure. Institutions such as the University of Pennsylvania, MIT, and Harvard were among those impacted.
Exploitation of Free-For-Teacher Accounts
The Free-For-Teacher program, which allowed educators to access Canvas without institutional verification, became an entry point for ShinyHunters. While these accounts shared the same infrastructure as paid accounts, they were separated logically. This separation was exploited, allowing attackers to mimic legitimate account activity.
During the exposure window from April 30 to May 8, 2026, attackers accessed production data and possibly altered login pages. Schools lacked tools to differentiate Free-For-Teacher accounts from institutional accounts, complicating detection of malicious activity.
Ongoing Phishing Threats
The closure of the breach window does not eliminate risk. The stolen data can fuel sophisticated spear phishing campaigns, leveraging real course information and messages to deceive users. To mitigate risks, Instructure advises schools to rotate API credentials, monitor for suspicious emails, and inspect login pages for unauthorized changes. Reviewing Canvas logs for unusual account access is also recommended.
While Bitdefender continues to monitor for further disclosures, affected institutions have been informed with recommended actions. The situation underscores the importance of vigilance against cyber threats in education technology systems.
