Advisory: Canvas LMS Breach — ShinyHunters¶
📄 Advisory Brief (2-page printable) ✉ Email to a Colleague
Update — May 12, 2026
Instructure paid the ransom. On May 11, Instructure confirmed it reached an agreement with ShinyHunters for an undisclosed amount and received "shred logs" as claimed proof of data destruction. Treat those assurances with skepticism — there is no independent verification that the data was destroyed.
Congress is now investigating. Following the payment, Congress launched a formal investigation into the breach and Instructure's decision to pay.
ShinyHunters is now targeting individual institutions. Reports indicate the group has escalated to a school-by-school extortion campaign, contacting named institutions separately. If your institution receives a direct ransom demand, do not pay — engage legal counsel and law enforcement immediately.
Executive Brief¶
Instructure — the company that runs Canvas LMS, the learning platform used by thousands of schools and universities worldwide — was breached by a criminal hacking group beginning April 30, 2026. The attackers claim to have stolen personal data on 275 million students, teachers, and staff across roughly 8,800 institutions, including names, email addresses, student ID numbers, and private messages sent through Canvas. The group threatened to publicly release everything unless a ransom was paid by May 12, 2026.
Instructure restored access within hours of the public defacement and states there is no evidence that passwords, Social Security numbers, or financial data were taken. On May 11, Instructure paid an undisclosed ransom and claims to have received confirmation that the data was destroyed — but that claim is unverifiable. Congress has since opened an investigation. ShinyHunters is now reportedly running a separate extortion campaign targeting individual institutions. Every institution using Canvas should treat this as an ongoing event requiring immediate action — regardless of whether you are on the named list.
At a Glance¶
| Threat Actor | ShinyHunters |
| Target | Instructure / Canvas LMS |
| Attack Type | Data exfiltration + extortion |
| Data Claimed Stolen | Names, emails, student IDs, private messages |
| Scale | ~275M users · ~8,800 institutions |
| Ransom | Paid May 11 by Instructure (undisclosed amount) |
| Data Destruction Claim | ShinyHunters provided "shred logs" — unverified |
| Platform Status | Restored (as of May 7) |
| Passwords / SSNs stolen? | No evidence per Instructure |
| Prior Instructure breach? | Yes — attackers said "again" |
| Congressional Investigation | Opened May 12, 2026 |
| Individual School Extortion | Ongoing — ShinyHunters targeting named institutions separately |
| FBI Status | Active investigation — report at ic3.gov |
FBI Statement — May 2026
The FBI has confirmed awareness of this incident and issued guidance for affected individuals:
- Do not pay or respond to ransom or extortion demands
- Threat actors often exaggerate or fabricate their access to pressure victims into paying
- Await formal notification from your educational institution before taking action
- Be cautious of unsolicited emails, calls, or texts claiming to be from your school, Canvas, or law enforcement — verify through known channels before responding
- If you believe you have been impacted, file a complaint at ic3.gov
Who Did This¶
ShinyHunters is a criminal hacking group with a documented track record of targeting large platforms for data theft and extortion. The group is described as a loose network of young adults primarily based in the U.S. and UK. In early 2026 alone, they also claimed breaches of Infinite Campus (a K-12 student information system) and McGraw Hill (a major academic publisher).
Their playbook is consistent: find a platform that holds data at scale, exfiltrate in bulk, then threaten public release unless paid. They do not appear motivated by ideology — only financial gain.
If Your Institution Receives a Direct Demand — Do Not Pay
Instructure paid the platform-level ransom on May 11. ShinyHunters is now reportedly running a separate campaign targeting individual institutions. If you receive a direct extortion demand, do not pay — engage legal counsel and law enforcement immediately.
Paying does not guarantee data deletion and marks your institution as willing to pay again. The FBI specifically notes that threat actors often exaggerate or fabricate the scope of their access to pressure victims. Receiving a threatening message does not confirm your data was actually stolen. Report any demands to ic3.gov.
Was Your Institution Named?¶
If Your School Uses Canvas: Do These Right Now¶
These five steps apply to every institution using Canvas — whether you are confirmed affected or not.
1. Change your Canvas password
Use a strong, unique password. Do not reuse one from another site. If you manage Canvas accounts, force a password reset for all users.
2. Enable multi-factor authentication (MFA)
Turn on MFA for your Canvas account and the email address linked to it. This is the single highest-impact action you can take today.
3. Watch for phishing
Attackers now have your school email address. Expect emails impersonating Canvas, your IT department, or "breach response" services. Go directly to official sites — do not click links in unexpected emails.
4. Do not click unsolicited "breach notification" links
Fraudulent notifications will circulate. Verify everything through your school's official IT communications channel.
5. IT and Security Teams
Work through the full incident response checklist below. Assign owners, document actions, and notify legal and compliance.
Open Incident Response Checklist →
Zero Trust Controls That Apply¶
This incident is a case study in what happens when organizations extend implicit trust to a SaaS vendor. Zero Trust architecture would have contained the blast radius — here's how.
Reactive Controls — Do Now¶
These are controls that reduce your exposure from this specific incident.
| Control | What to Do | Framework Reference |
|---|---|---|
| Rotate all Canvas API keys | Audit and rotate every API key and OAuth token connected to Canvas. Prioritize integrations with your SIS, registration, and HR systems. | NIST SP 800-207 §3.3 |
| Invalidate active Canvas sessions | Force all users to re-authenticate. Terminate any service account sessions with Canvas. | CISA ZTMM Identity Pillar — Credential Management |
| Enforce MFA for all admin accounts | Canvas admin and teacher accounts are highest risk. Enforce MFA through your identity provider (Azure AD, Okta, Google Workspace). | CIS Controls v8 #6 — Access Control Management |
| Audit Canvas integration permissions | List every system integrated with Canvas. For each: what data can it read? What can it write? Remove or restrict anything no longer needed. | NIST SP 800-207 Tenet 3 — Least Privilege |
| Enable and export Canvas audit logs | If not already collecting Canvas API audit logs, enable them now. Export logs from April 30 forward for forensic review. | CISA ZTMM Visibility & Analytics |
Preventative Controls — Do Next¶
These are the Zero Trust controls that would have limited the damage of this breach had they been in place — and will protect you from the next one.
Identity: No Standing Credentials¶
The problem: Most Canvas integrations use static API keys that never expire. One key stolen = permanent access until someone notices.
The ZT fix: Replace long-lived API keys with short-lived, scoped credentials — issued per session, expired automatically.
"Access to individual enterprise resources is granted per-session." — NIST SP 800-207, Tenet 3
Reference: CISA ZTMM Identity Pillar (Advanced maturity) — Just-in-Time access provisioning, ephemeral credentials for service-to-service integrations.
Applications & Workloads: Treat SaaS as Untrusted¶
The problem: Schools trust Canvas traffic because "it's a reputable vendor." That trust is transitive — if Canvas is compromised, so is the trust.
The ZT fix: Inspect Canvas API traffic at your boundary. A Cloud Access Security Broker (CASB) or API gateway lets you monitor data flows, detect bulk downloads, and alert on anomalous patterns — even from a trusted SaaS vendor.
"All communication is secured regardless of network location." — NIST SP 800-207, Tenet 2
Reference: CISA ZTMM Applications & Workloads Pillar — SaaS application visibility and access monitoring. CIS Controls v8 #16 — Application Software Security.
Data: Know What You're Exposing¶
The problem: Many institutions don't know exactly what data Canvas holds on their behalf — grades, messages, counseling notes, financial aid details — until after a breach.
The ZT fix: Classify the data flowing into Canvas before a breach. Not everything needs to live in your LMS. Documents containing sensitive PII, health information, or financial data should be stored in systems with tighter access controls and not synced into Canvas.
"Data is classified and protected based on sensitivity." — CISA ZTMM Data Pillar
Reference: NIST SP 800-207 Tenet 6 — Continuously monitor and measure the integrity and security posture of assets. CIS Controls v8 #3 — Data Protection.
Visibility: Monitor Your SaaS Integrations¶
The problem: The Canvas breach began April 30 — but for many schools, the first they heard of it was May 7 when their login pages were defaced. A week of undetected access is a significant window.
The ZT fix: Treat Canvas API logs like your own network logs. Unusual spikes in data access, requests from unexpected geolocations, or bulk record queries are detectable signals — but only if you're watching.
"The enterprise collects data about the current state of assets, network infrastructure, and communications and uses it to improve its security posture." — NIST SP 800-207, Tenet 7
Reference: CISA ZTMM Visibility & Analytics Pillar — SaaS activity monitoring, anomaly detection thresholds.
Recommended 90-Day Hardening Path¶
For institutions that want to move from reactive to proactive after this incident:
| Timeframe | Priority Actions |
|---|---|
| Days 1–7 | Rotate credentials, enforce MFA on admin accounts, audit Canvas integrations, export audit logs |
| Days 8–30 | Classify data in Canvas, remove unnecessary data, review SIS ↔ Canvas sync scope, set up API monitoring |
| Days 31–90 | Migrate from static API keys to short-lived credentials, deploy CASB or API gateway for SaaS visibility, conduct a ZT Maturity Assessment |
Take the ZT Maturity Assessment → Ask Agent Zeta for guidance →
Sources¶
This advisory was published May 8, 2026 and last updated May 12, 2026.
- 2026 Canvas Security Incident — Wikipedia
- Instructure Confirms Canvas Breach — Bitdefender
- Millions of Students' Data Stolen — Malwarebytes
- Hackers Steal Students' Data — TechCrunch
- PAY OR LEAK — Inside Higher Ed
- ShinyHunters Breach Instructure — SOCRadar
- Instructure Pays Ransom to Canvas Hackers — Inside Higher Ed
- Instructure Reaches Ransom Agreement with ShinyHunters — The Hacker News
- Congress Investigates Canvas Breach After Instructure Cuts Deal — The Register
- ShinyHunters Escalates Canvas Extortion with School-by-School Campaign — Infosecurity Magazine
- FBI Public Service Announcement — Canvas LMS Incident (May 2026)
ZT Advisories are produced by the Open Zero Trust Project. All framework references are to publicly available standards. This advisory is for informational purposes and does not constitute legal or security consulting advice.