Instructure Canvas LMS ShinyHunters breach (2026)

ShinyHunters exploited Canvas's Free-For-Teacher account programme to exfiltrate 3.65 TB of data spanning approximately 275 million users across nearly 9,000 schools — names, email addresses, student IDs, and some private messages between students and teachers. Instructure reportedly paid the ransom and the data was destroyed.

In early May 2026, Instructure — the company behind Canvas, the learning-management system used by roughly 41% of U.S. higher-education institutions and thousands of K-12 schools — disclosed a major breach orchestrated by ShinyHunters. It is now considered the largest education-sector security incident on record by users affected.

What happened

The attackers entered Canvas through the Free-For-Teacher account programme — a low-friction onboarding tier intended to let individual educators try the platform — and from that foothold reached customer data on the broader Canvas instance. The exposure window ran 30 April to 7 May 2026; Instructure detected the unauthorized activity on 1 May.

ShinyHunters claimed responsibility publicly on 3 May 2026 and launched a "pay or leak" extortion campaign with a 7 May deadline (later extended to 12 May). The data set claimed was 3.65 TB spanning approximately 275 million users across ~9,000 schools — names, email addresses, student IDs, and some private messages exchanged between students and teachers.

On 11 May 2026 Instructure issued a public apology for its lack of transparency and confirmed it had reached an agreement with the actor; the company said the compromised data was destroyed. Inside Higher Ed and other outlets reported, citing unconfirmed sources, that the settlement amount was approximately $10 million USD.

This is the second ShinyHunters compromise of Instructure within eight months — an earlier incident hit the same platform in 2025.

Impact

~275 million users across approximately 9,000 schools worldwide affected — the largest education-sector breach by user count on record.
3.65 TB claimed exfiltrated.
Names, email addresses, student IDs, and some private student–teacher messages exposed.
Reported ~$10 million USD ransom payment.
Acute regulatory and reputational fallout for Canvas in U.S. higher ed, where it is the dominant LMS.

Why it matters

A free trial-account tier is, by design, the lowest-friction surface on a SaaS platform. That is precisely what makes it a high-value initial-access vector if it shares any plumbing with the paying-customer instance. ShinyHunters demonstrated, twice, that an entry point engineered for acquisition can also be engineered for exfiltration.

Timeline

April 30, 2026

Unauthorized activity begins against Instructure's Canvas platform; ShinyHunters exploits the Free-For-Teacher account programme to reach customer data.

May 1, 2026

Instructure detects the unauthorized activity.

May 3, 2026

ShinyHunters publicly claims responsibility and launches an extortion campaign with a 7 May deadline.

May 5, 2026

Inside Higher Ed reports the 'pay-or-leak' extortion threat aimed at Instructure.

May 7, 2026

Last day in the breach exposure window.

May 9, 2026

ShinyHunters claims 3.65 TB stolen across approximately 275 million users and 9,000 schools.

May 11, 2026

Instructure publicly apologises for lack of transparency and confirms an agreement was reached with the actor; unconfirmed reporting suggests ~$10 million was paid and the data was destroyed.

Sources

en.wikipedia.orghttps://en.wikipedia.org/wiki/2026_Canvas_security_incident

insidehighered.comhttps://www.insidehighered.com/news/tech-innovation/administrative-tech/2026/05/11/instructure-pays-ransom-canvas-hackers

insidehighered.comhttps://www.insidehighered.com/news/tech-innovation/administrative-tech/2026/05/05/pay-or-leak-hackers-target-big-higher-ed-vendor

hackread.comhttps://hackread.com/shinyhunters-instructure-canvas-lms-vimeo-data-breach/

bitdefender.comhttps://www.bitdefender.com/en-us/blog/businessinsights/technical-advisory-shinyhunters-breach-instructure-canvas-lms

Related incidents

Credential stuffingContainedMay 30, 2024

Snowflake customer-account credential-stuffing campaign (UNC5537, 2024)

A threat cluster tracked as UNC5537 / ShinyHunters used credentials harvested by infostealer malware to log into ~160 Snowflake customer tenants that lacked MFA. Victims included AT&T, Ticketmaster, Santander, LendingTree, Advance Auto Parts, Neiman Marcus, and Bausch Health. Ticketmaster alone exposed data for ~560 million users.

Victim: Snowflake customer tenants (~160 organisations: AT&T, Ticketmaster, Santander, LendingTree, Advance Auto Parts, Neiman Marcus, Bausch Health, et al.)
Records: 560.0M

Data breachContainedAugust 8, 2022

LastPass two-stage breach and customer vault theft (2022)

An August 2022 source-code theft from one LastPass developer's laptop chained into a November 2022 compromise of a DevOps engineer's personal computer — yielding access to backups of customer password vaults. Federal investigators later linked LastPass-stolen vaults to a $150 million crypto heist.

Victim: LastPass

Data breachResolvedSeptember 22, 2016

Yahoo data breaches (3 billion accounts)

Two separate breaches — disclosed in 2016 but stretching back to 2013 and 2014 — exposed every Yahoo account in existence. Three billion accounts: the largest single-company data exposure in history.

Victim: Yahoo!
Loss: $470.0M
Records: 3.00B

Data breachUnknownMay 20, 2026

GitHub hit by a cyberattack, nearly 4,000 internal private repositories leaked

GitHub, the development platform used by millions of developers worldwide, confirmed having been the victim of a cyberattack that

Victim: GitHub