OZTP Brief — Canvas LMS Breach

Active Incident K-12 & Higher Education Updated May 12, 2026

Canvas LMS Breach

ShinyHunters compromised 275 million users across 8,800 institutions. Instructure paid the ransom May 11 — but ShinyHunters is now targeting individual schools separately. Here's what to do.

At a Glance

Threat Actor

ShinyHunters

Target

Instructure / Canvas LMS

Attack Type

Data exfiltration + extortion

Scale

~275M users · 8,800 institutions

Data Claimed Stolen

Names, emails, student IDs, messages

Ransom

Paid May 11 (undisclosed)

Platform Status

Restored (May 7)

Congress Investigation

Opened May 12, 2026

Passwords / SSNs Stolen?

No evidence per Instructure

If You Receive a Direct Demand — Do Not Pay Instructure paid the platform-level ransom May 11. ShinyHunters is now targeting individual institutions separately. Do not pay any direct demand — engage legal counsel and law enforcement. Report to ic3.gov.

5 Actions Right Now

1

Change your Canvas password Use a strong, unique password. If you manage accounts, force a reset for all users.
2

Enable MFA on Canvas and your email This is the single highest-impact action you can take today.
3

Watch for phishing Attackers have your school email. Expect fake Canvas and IT notifications.
4

Don't click unsolicited breach notifications Fraudulent alerts will circulate. Use only official IT communications channels.
5

IT Teams: open the IR checklist Assign owners, document actions, notify legal and compliance. Full checklist at oztp.org/advisories/checklists/canvas-ir.html

FBI Guidance & May 12 Developments

Do not pay direct extortion demands — report to ic3.gov
Instructure paid May 11 — data destruction is unverified
Congress has opened a formal investigation
ShinyHunters is targeting individual institutions separately

Zero Trust Controls That Apply

This incident is a case study in implicit trust extended to a SaaS vendor. Zero Trust architecture would have contained the blast radius. These are the controls that matter most — do the reactive ones now, then plan for the preventative ones.

Control	Reactive — Do Now	Preventative — Do Next	Framework Ref
Credentials	Rotate all Canvas API keys and OAuth tokens. Invalidate active sessions.	Replace static API keys with short-lived, scoped credentials — issued per session, expired automatically.	NIST SP 800-207 §3.3 · CISA ZTMM Identity
Identity / MFA	Enforce MFA for all Canvas admin and teacher accounts through your IdP (Azure AD, Okta, Google Workspace).	Move toward phishing-resistant MFA (FIDO2/passkeys) for admin accounts. Eliminate password-only access.	CIS Controls v8 #6 · CISA ZTMM Identity
SaaS Trust	Audit every system integrated with Canvas — what data can it read or write? Remove anything no longer needed.	Deploy a CASB or API gateway to inspect Canvas traffic. Monitor bulk data queries and anomalous access patterns.	NIST SP 800-207 Tenet 2 · CISA ZTMM Apps & Workloads
Data Scope	Review what sensitive data (counseling notes, financial aid, health records) is currently stored in Canvas.	Classify data before it enters Canvas. Move sensitive PII to systems with tighter access controls — don't sync everything into your LMS.	CISA ZTMM Data Pillar · CIS Controls v8 #3
Visibility	Enable Canvas API audit logs. Export logs from April 30 forward for forensic review.	Treat Canvas API logs like network logs. Set thresholds for unusual access spikes, unexpected geolocations, and bulk record queries.	NIST SP 800-207 Tenet 7 · CISA ZTMM Visibility

Recommended 90-Day Path

Timeframe	Priority Actions
Days 1–7	Rotate credentials · Enforce MFA on admin accounts · Audit Canvas integrations · Export audit logs
Days 8–30	Classify data in Canvas · Remove unnecessary data · Review SIS ↔ Canvas sync scope · Set up API monitoring
Days 31–90	Migrate from static API keys to short-lived credentials · Deploy CASB or API gateway for SaaS visibility · Conduct a ZT Maturity Assessment

Get the Full Advisory

The complete OZTP advisory includes an interactive incident response checklist, full Zero Trust control deep-dives with framework citations, and links to Agent Zeta — our free AI Zero Trust advisor.

oztp.org/advisories Free · No account required