In late April and May 2026, Instructure, the company behind Canvas, the learning management system used by 41% of US higher education institutions — disclosed a data breach that exposed names, email addresses, student ID numbers, and private messages belonging to users across thousands of educational institutions worldwide. The extortion group ShinyHunters claimed responsibility, asserting they held 3.65 terabytes of data covering 275 million users across approximately 9,000 institutions. Instructure confirmed exposure of personal data but has not verified the full scale claimed.
The breach is considered the largest educational platform security incident on record. This was ShinyHunters’ second attack against Instructure’s infrastructure in eight months, the first, in September 2025, had targeted Instructure’s Salesforce environment through social engineering.
What Happened
Canvas is the dominant learning management system in North American higher education, used by universities, K-12 school districts, and teaching hospitals across the US, UK, Canada, Australia, New Zealand, and parts of Europe. At the time of the breach, Instructure provided Canvas to approximately 30 million active participants at over 8,000 institutions.
Confirmed victims include institutions across multiple continents, with named affected schools including eight Ivy League institutions, major state university systems, and K-12 districts. The University of Pennsylvania alone had approximately 306,000 affiliates in the exposed data.
The timeline:
- September 2025: ShinyHunters attacks Instructure’s Salesforce instance through social engineering. Instructure discloses and rotates credentials. No Canvas product data confirmed compromised.
- April 25, 2026: Unauthorised actors gain access to Canvas systems
- May 1, 2026: Instructure detects the intrusion, revokes unauthorised access, engages third-party forensic investigators, places Canvas Data 2 and Canvas Beta into maintenance mode
- May 2, 2026: Instructure states the incident is contained. Confirms data theft: names, email addresses, student ID numbers, and messages among users
- May 3, 2026: ShinyHunters lists Instructure on their Tor-based data leak site, claiming 3.65 TB of data
- May 6, 2026: ShinyHunters sets a ransom deadline. Instructure states it has reached an agreement and received digital confirmation of data destruction. Data is reported not released publicly.
- May 7, 2026: Second ShinyHunters intrusion attempt succeeds through a previously undisclosed vulnerability; login pages defaced at affected institutions
- May 8, 2026: Instructure reports the May 7 incident contained
- May 11, 2026: Instructure issues public apology for lack of transparency
- May 13, 2026: Proposed class action lawsuit filed against Instructure
- May 2026: US Federal Trade Commission issues consumer alert regarding the Canvas breach
Instructure confirmed it reached an agreement with the attackers and received shred logs as confirmation of data destruction. Security professionals note that such confirmation from an extortion group is not enforceable and should not be treated as a guarantee of data non-use.
How It Happened
The May 2026 breach exploited a vulnerability in Instructure’s Free-For-Teacher account programme — a free tier available to individual educators, which had different access controls from the paid enterprise tier. Instructure subsequently permanently discontinued the Free-For-Teacher programme.
The specific technical mechanism has not been fully disclosed. Bitdefender’s advisory assessed the attack as either an authentication bypass allowing access without valid credentials or a tenant-isolation flaw allowing access to other organisations’ data through a Free-For-Teacher account. Either path would have provided access to Canvas platform data across multiple customer organisations without requiring individual credential compromise for each institution.
The September 2025 incident used social engineering against the Salesforce environment — a different attack surface, a different technique. The May 2026 incident targeted a product-tier vulnerability in Canvas itself. The same threat actor returning to the same target with a different method, succeeding for the second time in eight months, raises a governance question that Instructure will face in regulatory proceedings: was the remediation after September 2025 sufficient to address the broader vulnerability posture, or was it limited to the specific attack vector that had just been exploited?
What This Means for NHI Governance
Canvas is used by students to share accommodation requests describing medical conditions, communicate with academic advisors about personal circumstances, and discuss sensitive situations with support staff. When that platform is breached, the exposed data is not just names and email addresses. It is contextual personal information that enables highly convincing targeted social engineering against students and faculty.
From an NHI governance perspective, the Canvas breach illustrates a different threat model than the credential-theft breaches in this collection. The NHI element is the API credential and integration access surface:
- Canvas Data 2 and Canvas Beta were placed into maintenance mode because they rely on API keys for institutional integrations. When Instructure rotated credentials in response to the breach, institutions that relied on those API connections for SIS syncs, accessibility tools, proctoring software, analytics platforms, and assessment tools experienced disruption.
- Every integration built on Canvas API credentials is a non-human identity relationship. Each API key an institution has issued to a third-party integration service is a credential with access to LMS data. If those keys are compromised in a breach, the downstream blast radius extends to every integrated service.
- The repeat breach pattern — same organisation, same threat actor, different surface, eight months apart — illustrates the limitation of credential rotation as a sole remediation. Rotating the compromised credential addresses the immediate access path. It does not address the broader credential surface or the data governance question of what sensitive data resides in connected systems.
Recommendations
- Rotate all Canvas API keys and integration credentials immediately. Institutions that have not already rotated API keys following Instructure’s direction should do so now. Treat any credential that could have been accessible during the breach window as potentially compromised.
- Audit all third-party integrations connected to your Canvas instance. Build an inventory of every application holding Canvas API credentials: proctoring tools, accessibility platforms, SIS connectors, analytics services. Each is a non-human identity with access to student data.
- Implement monitoring for anomalous Canvas API activity. Bulk data exports, unusual access patterns from integration credentials, and access from unexpected IP addresses should generate immediate alerts.
- Review what data is accessible through Canvas API credentials. Many institutions have granted API integrations broader access than those integrations require. Apply least-privilege scoping to all Canvas API grants.
- Be cautious about accepting data destruction assurances from extortion groups. ShinyHunters has a documented history of retaining or monetising exfiltrated data regardless of assurances given during ransom negotiations. Treat the data as potentially still at risk.
- Brief students and faculty on the social engineering risk. The data exposed course names, advisor relationships, private messages, enables highly convincing targeted phishing. Warn your community about phishing messages that reference specific course, advisor, or accommodation details.
How NHI Mgmt Group Can Help
Securing Non-Human Identities (NHIs) including AI Agents, is becoming increasingly crucial as attackers discover and target service accounts, API keys, tokens, secrets, and OAuth credentials during breaches. These NHIs often hold extensive permissions that can be exploited, making their security a priority for any organisation focused on protecting their digital assets.
Take our NHI Foundation Level Training Course, the most comprehensive in the industry, that will empower you and your organisation with the knowledge needed to manage and secure these non-human identities effectively.
Final Thoughts
The Canvas breach is an educational platform security incident with direct NHI implications: API credential surface, integration governance, and the downstream blast radius when a platform holding sensitive contextual data is compromised. The repeat pattern, same threat actor, same target, two successful attacks in eight months, is the governance finding that institutions connected to Canvas, and the broader SaaS-dependent education sector, should carry forward. Rotating the credential that was exploited in September 2025 did not prevent the breach in May 2026.
The attack surface was broader than the credential that was rotated. That is the gap most organisations share when they address a breach as a credential problem rather than a data governance and access surface problem.
