Instructure, the company behind the Canvas learning management system that runs at thousands of universities, K–12 districts, and corporate training programs worldwide, has confirmed a data breach that ShinyHunters is now using as leverage in a public extortion campaign. The numbers being thrown around by the threat actor are absurd on their face — 3.65 terabytes of data, 275 million students and teachers, close to 9,000 institutions — and the ransom deadline is tomorrow, May 6, 2026.

This is the second time in eight months that ShinyHunters has walked off with Canvas data. The September 2025 incident pivoted through Instructure’s Salesforce environment via vishing. This one, per the group’s own claims, exploited a vulnerability in Instructure’s systems that has since been patched — and they say they got into the Salesforce instance again on the way out.

What happened

The timeline, reconstructed from Instructure’s own disclosures and ShinyHunters’ leak-site post:

  • April 30 — Instructure detects disruption affecting tooling that depends on Canvas Data 2 API keys. Internally, they treat it as a breach in progress.
  • May 1 — CISO Steve Proud publicly acknowledges that “a criminal threat actor” has accessed the Instructure network. Outside IR is engaged.
  • May 2 — Privileged credentials and application keys associated with the affected systems are revoked and reissued. Customers integrating with Canvas Data 2 are told to rotate.
  • May 3 — ShinyHunters lists Instructure on its data-leak site, claiming 3.65TB exfil and 275M affected users. Canvas Data 2 functionality is restored to global customers the same day.
  • May 6 — Ransom deadline. ShinyHunters has signaled a full public dump if Instructure refuses to pay.

What was taken

Instructure’s forensic investigation, as of May 3, confirms exposure of names, email addresses, student ID numbers, and inter-user messages within Canvas. The company says it has found “no evidence” that passwords, dates of birth, government identifiers, or financial information were involved. That carve-out matters less than it sounds — student-teacher message content alone is a goldmine for credential phishing tailored to specific schools, faculty, and ongoing courses.

ShinyHunters’ own claim adds a Salesforce footprint: the same instance they previously breached via social engineering in September 2025. If accurate, this means CRM-style records (institution contacts, sales correspondence, support tickets) are also in the dump alongside Canvas user data.

Why this is an infrastructure problem, not just an edtech problem

Canvas is the dominant LMS in U.S. higher ed and runs significant portions of K–12 and enterprise training globally. A single SaaS tenant compromise here cascades into thousands of downstream institutions that have neither IR capacity nor leverage over the vendor’s containment timeline. The reissued application keys are the visible surface; what every Canvas-integrated downstream environment should be assuming is that anything those keys touched between April 30 and May 2 is potentially exposed.

The repeat-victim pattern is worth noting. Eight months between major ShinyHunters incidents at the same vendor — first via vishing into Salesforce, now via what Instructure describes as a now-patched vulnerability with an alleged Salesforce pivot tagging along — suggests either persistent access that was never fully evicted in 2025, or an organizational target list ShinyHunters keeps coming back to. Either way, “we patched the vulnerability” is not the end state customers should be planning around.

What to do right now

If you operate Canvas integrations or consume Canvas Data 2:

  • Rotate any API keys, OAuth client secrets, and service-account credentials that were active between April 30 and May 3 — assume they were observed even if Instructure rotated theirs.
  • Audit Canvas Data 2 ETL outputs for new accounts, role changes, or message exports in that window.
  • Treat user-to-user message content as compromised for the purposes of phishing risk modeling. Faculty inboxes are now high-value targets for course-specific lures.
  • For institutions that also have Instructure tied into a Salesforce or CRM workflow, treat that tenant as in scope until Instructure publishes a clearer statement on the Salesforce angle.

If your institution is one of the ~9,000 named in the ShinyHunters claim — and right now nobody outside Instructure and ShinyHunters knows which ones those are — your incident clock started April 30, not whenever the leak gets publicly indexed.

References