Skip to content
Supply Chaincredential-theftSecure SDLCVulnerability Research

ShinyHunters Hit Canvas: Inside the Instructure LMS Breach Impacting Up to 275M Accounts

4 min read
Share

ShinyHunters hit Canvas: what the Instructure breach means for 275 million students

On May 3, 2026, Instructure confirmed that its Canvas LMS had been breached. ShinyHunters, the extortion group that has now claimed five enterprise targets this quarter, says it exfiltrated 3.65 TB of data covering up to 275 million user accounts across roughly 9,000 institutions. The group's payment deadline was May 6.

Canvas is used by 41% of North American higher-education institutions. That means this breach is not a niche incident. It is a systemic one.

What was accessed

Instructure's statement confirms that attackers accessed names, email addresses, student IDs, and user messages. Passwords and financial data were not in scope. The company says it has rotated API keys, revoked credentials, and engaged an outside forensic firm.

ShinyHunters claims the exfiltrated data includes several billions of private messages among students and teachers and students and other students, along with personal identifying information. The 275 million figure is ShinyHunters' own claim; Instructure has not confirmed the exact scope.

How the breach happened

The attack vector was API key compromise. ShinyHunters' consistent pattern across all five 2026 campaigns (Vercel via Context.ai OAuth, Vimeo via Anodot analytics SaaS, ADT via Okta SSO, Medtronic, and now Instructure) is the same: the attacker does not break into the primary target directly. Instead, they identify a third-party integration or API token with access to the target's data and compromise that integration first.

In this case, the entry point was Instructure's own API key infrastructure. LMS platforms have extensive integration surfaces: student information systems, identity providers, analytics tools, library systems, accessibility platforms, all connected via API tokens or OAuth grants. A single compromised integration credential can reach data across an institution's entire user population.

What is at risk

Private student messages are the most sensitive exposure. In many jurisdictions, student communications on a university platform are subject to FERPA (in the US), GDPR (in the EU and UK), and equivalent local data protection law. Private messages between students and instructors can include health information, accommodation requests, disciplinary discussions, and personal circumstances shared in confidence.

Email addresses and student IDs from 275 million accounts represent a large-scale phishing resource. Expect targeted credential-stuffing and phishing campaigns against institutional email addresses in the coming weeks, using breached Canvas credentials to make the lures appear legitimate.

What institutions should do

First, contact Instructure directly to determine whether your institution is in scope. Instructure has not published a list of affected institutions.

Second, reset or rotate any API keys and OAuth grants your institution has issued to third-party integrations that connect to Canvas. An API key compromised at one integration point can provide access across your entire Canvas environment.

Third, notify affected users if your institution is confirmed in scope, consistent with your jurisdiction's data breach notification requirements. In the EU, notification is required within 72 hours of a confirmed breach. In the US, requirements vary by state.

Fourth, watch for phishing campaigns targeting institutional email addresses. Brief IT help desk staff and academic staff on what a Canvas-related phishing attempt might look like: urgency framing, requests to verify account credentials, or unexpected messages claiming to be from university administration.

The ShinyHunters arc

This is the fifth confirmed ShinyHunters enterprise breach in Q2 2026. The first quarter of 2024 saw ShinyHunters execute the Snowflake-adjacent campaign that affected Ticketmaster, Santander, and hundreds of other Snowflake customers. The 2026 campaign follows the same structural pattern, now applied to SaaS analytics and LMS platforms rather than cloud data warehouses.

The group's payment deadline passed today with no public confirmation of a data dump or payment. That typically signals either negotiation is underway or the data will be released within 24 to 72 hours.

Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you want to review your institution's API key exposure or third-party integration risk.

Related articles

Irancredential-theftendpoint-securityVulnerability Research

MuddyWater’s Teams Trick: How Iran Uses Ransomware as Cover for Espionage

Rapid7 found that an intrusion attributed with moderate confidence to MuddyWater, Iran’s MOIS-linked APT, used Microsoft Teams social engineering to steal credentials and bypass MFA, then deployed Chaos ransomware as a false flag while the real objective was espionage and persistent access.

Supply Chaincredential-theftChinaendpoint-securityVulnerability Research

Daemon Tools Supply Chain Attack: A Chinese APT Backdoored Official Installers for a Month

Kaspersky GReAT found that official DAEMON Tools installers were backdoored from April 8 to May 5, 2026, by a Chinese-speaking actor who used a valid developer certificate to hide malware across thousands of installations in 100+ countries.

Supply ChainCI/CDcredential-theftSecure SDLCnpm

How TeamPCP Got Into Cisco: Following the Trivy Supply Chain Trail

A forensic walkthrough of how TeamPCP compromised Aqua Security's Trivy GitHub Action, poisoned release tags, and used CI/CD pipelines as a stealthy exfiltration layer to reach Cisco source code.