ShinyHunters Breaches Instructure Canvas LMS via Free Teacher Accounts
Key Takeaways The ShinyHunters hacking group breached Instructure’s Canvas Learning Management System (LMS) in May 2026. The attackers exploited vulnerabilities within the...
Key Takeaways
- The ShinyHunters hacking group breached Instructure’s Canvas Learning Management System (LMS) in May 2026.
- The attackers exploited vulnerabilities within the “Free-For-Teacher” account program to access production Canvas data.
- Exposed information includes user names, email addresses, student IDs, and private messages, impacting thousands of schools globally.
- While Instructure has addressed the immediate vulnerability by shutting down the program and rotating credentials, the stolen data poses a significant risk for future targeted phishing attacks.
ShinyHunters Exploits Instructure’s Canvas LMS Through Free Teacher Accounts
The notorious cybercrime syndicate, ShinyHunters, has successfully infiltrated Instructure, the company behind the widely adopted Canvas Learning Management System (LMS). This breach, which occurred in May 2026, reportedly exposed sensitive user data from a vast network of educational institutions worldwide. Details of the incident were outlined in a report, indicating that the breach compromised usernames, email addresses, student ID numbers, and private messages exchanged between Canvas users.
Table Of Content
This incident marks a significant escalation for ShinyHunters, which previously targeted Instructure in September 2024. That earlier attack, leveraging social engineering to compromise Salesforce business systems, did not impact Canvas product data directly. However, the May 2026 event represents a direct assault on the core Canvas platform, posing a more severe threat to the millions of students and educators globally who rely on it daily. These two distinct incidents highlight different attack vectors against separate components of Instructure’s infrastructure.
Threat intelligence analysts at Bitdefender have characterized ShinyHunters as an extortion-as-a-service group, known for employing voice phishing and social engineering tactics to gain initial access, often by impersonating IT support or trusted internal staff. Following the May 2026 breach, the group initiated a public extortion campaign on May 3, 2026, initially setting a deadline of May 8, which was subsequently extended to May 12, 2026. In response, Instructure temporarily took Canvas, Canvas Beta, and Canvas Test offline for investigation on May 8. Services were restored the following day, and critically, the “Free-For-Teacher” account program was permanently discontinued as part of the remediation efforts.
Exploitation of the Free-For-Teacher Program
ShinyHunters claims to have exfiltrated 3.6 TB of data, potentially affecting around 285 million users across 9,000 schools. While Instructure has not corroborated these specific figures, the company has officially confirmed the exposure of names, email addresses, student IDs, and certain private messages among Canvas users. Instructure has also stated that there is no evidence to suggest that passwords, dates of birth, government identification numbers, or financial information were compromised. Among the institutions reportedly impacted are prestigious universities such as the University of Pennsylvania, Harvard, MIT, Oxford, Rutgers, the University of North Carolina system, several colleges in Missouri, and various educational organizations across Australia and the European Union.
The “Free-For-Teacher” program allowed educators to create Canvas accounts without requiring institutional verification, providing them access to core Canvas functionalities for classroom use. These accounts operated on the same production Canvas infrastructure as paid institutional tenants, implying logical separation but shared underlying systems. ShinyHunters exploited this architectural nuance; an attacker utilizing a compromised free account could exhibit access patterns indistinguishable from a legitimate teacher evaluating the Canvas platform before formal institutional adoption. This made it difficult for schools to identify unauthorized access to their specific Canvas tenants originating from these free accounts, whether through legitimate course integrations or malicious activity during the exposure period.
The window of exposure for this breach extended from April 30 to May 8, 2026. During this time, the attacker gained unauthorized access to production Canvas data and potentially achieved write access, which was sufficient to deface login pages at multiple institutions. The exfiltrated data, including student IDs, email addresses, and private message content, represents a rich source of information for highly personalized and effective phishing campaigns targeting students and faculty.
The Broader Phishing Risk Ahead
The ramifications of a data breach extend far beyond the initial compromise. The stolen Canvas data, particularly its granular detail, poses a significant and ongoing risk by enabling sophisticated spear phishing campaigns that are far more convincing than generic attacks. An email that accurately references a specific Canvas course, directly quotes an actual private Canvas message, or includes the recipient’s legitimate student ID can establish a false sense of authenticity, making it incredibly difficult for even security-conscious users to detect the deception.
Instructure has advised affected schools to implement several mitigation strategies, including rotating API credentials, diligently monitoring for phishing emails that appear to originate from Canvas, inspecting login pages for any unauthorized alterations, and promptly informing students, faculty, and staff about the incident. Furthermore, schools should meticulously review Canvas logs for any accounts with external email addresses that accessed courses or messages during the critical exposure period of April 30 to May 8. Bitdefender MDR customers whose institutions were listed in ShinyHunters’ disclosure received direct notifications with tailored recommendations. Continuous monitoring of threat actor channels remains crucial as the full extent of the data compromise may yet emerge.
What You Should Do
- Educate Users: Immediately inform students, faculty, and staff about the breach and the potential for highly targeted phishing attacks leveraging stolen Canvas data. Emphasize vigilance for suspicious emails, even those that appear legitimate.
- Monitor and Audit: Actively monitor Canvas logs for unusual activity, especially from accounts with external email addresses that accessed courses or messages between April 30 and May 8, 2026.
- Rotate Credentials: Institutions should rotate all API credentials associated with their Canvas tenant to invalidate any potentially compromised keys.
- Inspect Login Pages: Regularly check Canvas login pages for any unauthorized modifications or defacements that could indicate further compromise or malicious redirects.
- Enhance Phishing Defenses: Implement advanced email security solutions capable of detecting spear phishing attempts and reinforce user training on identifying sophisticated social engineering tactics.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.