Instructure Canvas Data Breach

Overview

• Incident Type: Data Breach

• Vendor: Instructure

• Product: Canvas (Learning Management System)

• Advisory Date: 6 May 2026

Instructure has confirmed a cybersecurity incident involving a criminal threat actor. Public reporting says the ShinyHunters extortion group has claimed responsibility and threatened to leak stolen data.

According to Instructure's public updates, the information involved appears to include certain identifying information of users at affected institutions, such as names, email addresses, student ID numbers, and messages among users. Instructure has stated there is currently no evidence that passwords, dates of birth, government identifiers, or financial information were involved.

Wider ShinyHunters Activity

ShinyHunters has been linked to a series of "pay or leak" extortion attempts in 2026. On 24 April 2026, the group claimed to have breached Udemy and threatened to leak more than 1.4 million records said to contain PII and internal corporate data. Udemy has not confirmed the breach, and the figures remain threat actor claims.

Treat ShinyHunters claims as credible threats pending vendor confirmation, and watch for similar "pay or leak" activity targeting other SaaS vendors in your stack.

Affected Environment

• Institutions using Instructure services, especially Canvas

• Some tools relying on Instructure API keys may require reauthorisation after key rotation

• Canvas Data 2 and Beta were restored for customers, while Canvas Test remained under maintenance in vendor updates

  
  

Confirmed and Reported Exposure

Confirmed by vendor

• Names

• Email addresses

• Student ID numbers

• Messages among users at affected institutions

Publicly reported claims from the threat actor

Public reporting says ShinyHunters claimed the incident could affect thousands of institutions and a very large number of users. These figures should be treated as threat actor claims until independently confirmed by Instructure and impacted institutions.

Operational Response by Instructure

Instructure says it has:

• Revoked privileged credentials and access tokens associated with affected systems

• Deployed patches to enhance system security

• Rotated certain application keys as a precaution

• Increased monitoring across platforms

• Worked with outside forensics experts and law enforcement

Mitigation

• Review Instructure status updates and any direct notice from your institution or vendor contact

• Reauthorise integrations and tools that rely on reissued Instructure application keys

• Review logs for unusual access, token activity, and administrative behaviour

• Alert staff and students to phishing, credential harvesting, and social engineering risks

• Assess whether exposed messages or user identifiers create privacy, compliance, or reputational risk

• Prepare internal and external communications in case your institution is confirmed as affected

  
  

Summary for IT Teams

• Products: Instructure Canvas and related services

• Threat Level: High

• Action Required: Review vendor updates, reauthorise impacted integrations, monitor for phishing and suspicious access, and prepare incident response communications

  
  

Reference

• Instructure Status - Confirmed Security Incident

• BleepingComputer - Instructure confirms data breach, ShinyHunters claims attack

• Bitdefender - Instructure confirms breach; millions of Canvas users potentially impacted

  
  

Need Help?

If your organisation needs support assessing exposure, validating integrations, or preparing response communications, Secure ISS can help. Call 1300 769 460 or email us.