Instructure, the Salt Lake City-based educational technology firm behind the Canvas learning management system (LMS), confirmed on May 5, 2026, that a cybersecurity incident has exposed sensitive user information across its global network. The breach, which was first detected as a service disruption on April 30, has reportedly impacted names, email addresses, student identification numbers, and private messages exchanged within the platform. While the company has stated that the incident is contained, the extortion group ShinyHunters has claimed responsibility for the attack, alleging a scale of data exfiltration that would rank among the largest in the history of the education sector.
According to technical details released by the company and subsequent reports from cybersecurity analysts, the breach involved the unauthorized access of data through Canvas export features, including Data Access Platform (DAP) queries, provisioning reports, and user APIs. On May 3, ShinyHunters listed Instructure on its Tor-based leak site, claiming to have exfiltrated 3.65 terabytes of uncompressed data. The group asserts that the stolen records pertain to 280 million students, teachers, and staff members across 8,809 educational institutions worldwide. Furthermore, the threat actors claim to have compromised Instructure’s Salesforce instance and harvested billions of private messages.
Instructure Chief Information Security Officer Steve Proud confirmed the involvement of a criminal threat actor in a notification to customers. The company’s internal investigation, supported by external forensics experts, found no evidence that passwords, dates of birth, government identifiers, or financial information were compromised. However, the exposure of private messages has raised concerns regarding the confidentiality of academic communications. In response to the breach, Instructure revoked privileged credentials and access tokens, rotated application keys, and deployed security patches. The company also implemented expanded monitoring across its infrastructure to prevent further unauthorized access.
The incident caused significant operational disruptions for institutions relying on Canvas. On April 30, tools dependent on API keys began experiencing failures, leading Instructure to place Canvas Data 2, Canvas Beta, and Canvas Test environments under emergency maintenance. While access to Canvas Data 2 was restored by May 3, other environments remained restricted as the company worked to reauthorize API access for its global client base. Major universities, including the University of Colorado Boulder and Rutgers University, have issued statements to their respective communities acknowledging the vendor-level event and monitoring for direct impacts on their local systems.
As of May 5, Instructure continues to investigate the full extent of the data exposure. The company has mandated that customers reauthorize access to the Instructure API to receive new application keys, a move intended to invalidate any credentials potentially harvested by the attackers. ShinyHunters has reportedly set a ransom deadline of May 6, 2026, threatening to release the full dataset if their demands are not met. Instructure has not publicly commented on the ransom demand or the specific claims regarding the volume of stolen data, focusing instead on remediation and institutional notification.