Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
ClickLock macOS Stealer Kills Apps, Forces Password Entry
July 17, 2026
Top 10 Identity Threat Detection and Response (ITDR) Solutions for 2026
July 17, 2026
GPT-5.6 Codex Bug Deletes Files From Home Directories
July 17, 2026
Home/Threats/ShinyHunters Breaches Instructure Canvas LMS via Free Teacher Accounts
Threats

ShinyHunters Breaches Instructure Canvas LMS via Free Teacher Accounts

Key Takeaways The ShinyHunters hacking group breached Instructure’s Canvas Learning Management System (LMS) in May 2026. The attackers exploited vulnerabilities within the...

Jennifer sherman
Jennifer sherman
May 11, 2026 4 Min Read
42 0

Key Takeaways

  • The ShinyHunters hacking group breached Instructure’s Canvas Learning Management System (LMS) in May 2026.
  • The attackers exploited vulnerabilities within the “Free-For-Teacher” account program to access production Canvas data.
  • Exposed information includes user names, email addresses, student IDs, and private messages, impacting thousands of schools globally.
  • While Instructure has addressed the immediate vulnerability by shutting down the program and rotating credentials, the stolen data poses a significant risk for future targeted phishing attacks.

ShinyHunters Exploits Instructure’s Canvas LMS Through Free Teacher Accounts

The notorious cybercrime syndicate, ShinyHunters, has successfully infiltrated Instructure, the company behind the widely adopted Canvas Learning Management System (LMS). This breach, which occurred in May 2026, reportedly exposed sensitive user data from a vast network of educational institutions worldwide. Details of the incident were outlined in a report, indicating that the breach compromised usernames, email addresses, student ID numbers, and private messages exchanged between Canvas users.

Table Of Content

  • Key Takeaways
  • ShinyHunters Exploits Instructure’s Canvas LMS Through Free Teacher Accounts
  • Exploitation of the Free-For-Teacher Program
  • The Broader Phishing Risk Ahead
  • What You Should Do

This incident marks a significant escalation for ShinyHunters, which previously targeted Instructure in September 2024. That earlier attack, leveraging social engineering to compromise Salesforce business systems, did not impact Canvas product data directly. However, the May 2026 event represents a direct assault on the core Canvas platform, posing a more severe threat to the millions of students and educators globally who rely on it daily. These two distinct incidents highlight different attack vectors against separate components of Instructure’s infrastructure.

Threat intelligence analysts at Bitdefender have characterized ShinyHunters as an extortion-as-a-service group, known for employing voice phishing and social engineering tactics to gain initial access, often by impersonating IT support or trusted internal staff. Following the May 2026 breach, the group initiated a public extortion campaign on May 3, 2026, initially setting a deadline of May 8, which was subsequently extended to May 12, 2026. In response, Instructure temporarily took Canvas, Canvas Beta, and Canvas Test offline for investigation on May 8. Services were restored the following day, and critically, the “Free-For-Teacher” account program was permanently discontinued as part of the remediation efforts.

Exploitation of the Free-For-Teacher Program

ShinyHunters claims to have exfiltrated 3.6 TB of data, potentially affecting around 285 million users across 9,000 schools. While Instructure has not corroborated these specific figures, the company has officially confirmed the exposure of names, email addresses, student IDs, and certain private messages among Canvas users. Instructure has also stated that there is no evidence to suggest that passwords, dates of birth, government identification numbers, or financial information were compromised. Among the institutions reportedly impacted are prestigious universities such as the University of Pennsylvania, Harvard, MIT, Oxford, Rutgers, the University of North Carolina system, several colleges in Missouri, and various educational organizations across Australia and the European Union.

The “Free-For-Teacher” program allowed educators to create Canvas accounts without requiring institutional verification, providing them access to core Canvas functionalities for classroom use. These accounts operated on the same production Canvas infrastructure as paid institutional tenants, implying logical separation but shared underlying systems. ShinyHunters exploited this architectural nuance; an attacker utilizing a compromised free account could exhibit access patterns indistinguishable from a legitimate teacher evaluating the Canvas platform before formal institutional adoption. This made it difficult for schools to identify unauthorized access to their specific Canvas tenants originating from these free accounts, whether through legitimate course integrations or malicious activity during the exposure period.

The window of exposure for this breach extended from April 30 to May 8, 2026. During this time, the attacker gained unauthorized access to production Canvas data and potentially achieved write access, which was sufficient to deface login pages at multiple institutions. The exfiltrated data, including student IDs, email addresses, and private message content, represents a rich source of information for highly personalized and effective phishing campaigns targeting students and faculty.

The Broader Phishing Risk Ahead

The ramifications of a data breach extend far beyond the initial compromise. The stolen Canvas data, particularly its granular detail, poses a significant and ongoing risk by enabling sophisticated spear phishing campaigns that are far more convincing than generic attacks. An email that accurately references a specific Canvas course, directly quotes an actual private Canvas message, or includes the recipient’s legitimate student ID can establish a false sense of authenticity, making it incredibly difficult for even security-conscious users to detect the deception.

Instructure has advised affected schools to implement several mitigation strategies, including rotating API credentials, diligently monitoring for phishing emails that appear to originate from Canvas, inspecting login pages for any unauthorized alterations, and promptly informing students, faculty, and staff about the incident. Furthermore, schools should meticulously review Canvas logs for any accounts with external email addresses that accessed courses or messages during the critical exposure period of April 30 to May 8. Bitdefender MDR customers whose institutions were listed in ShinyHunters’ disclosure received direct notifications with tailored recommendations. Continuous monitoring of threat actor channels remains crucial as the full extent of the data compromise may yet emerge.

What You Should Do

  • Educate Users: Immediately inform students, faculty, and staff about the breach and the potential for highly targeted phishing attacks leveraging stolen Canvas data. Emphasize vigilance for suspicious emails, even those that appear legitimate.
  • Monitor and Audit: Actively monitor Canvas logs for unusual activity, especially from accounts with external email addresses that accessed courses or messages between April 30 and May 8, 2026.
  • Rotate Credentials: Institutions should rotate all API credentials associated with their Canvas tenant to invalidate any potentially compromised keys.
  • Inspect Login Pages: Regularly check Canvas login pages for any unauthorized modifications or defacements that could indicate further compromise or malicious redirects.
  • Enhance Phishing Defenses: Implement advanced email security solutions capable of detecting spear phishing attempts and reinforce user training on identifying sophisticated social engineering tactics.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachExploitphishingThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Hugging Face Repository Executes Malware on Windows Machines

Next Post

Law Enforcement Takedown Exposes 22,000 Cybercrime Forum Users

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Linus Torvalds Clarifies Linux Kernel’s Stance on AI Development
July 17, 2026
7-Zip Critical Vulnerability Exposes Millions to Remote Code Execution
July 17, 2026
Two Hackers Jailed for Hacking 148 TfL Systems, Forcing 27,000 Staff Password Resets
July 17, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Emy Elsamnoudy
Emy Elsamnoudy
Jennifer sherman
Jennifer sherman
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us