Instructure (Canvas LMS) — ShinyHunters extortion, ~275M users claimed

On 30 April 2026, Instructure — the NASDAQ-listed edtech vendor behind the Canvas learning management system — detected unauthorised access to its environment and began notifying customers the following day. By 3 May the company stated it had contained the incident, rotated keys, revoked credentials, and engaged outside forensic support. Some Canvas-adjacent services, including Canvas Data 2 and Canvas Beta, were taken offline during the response, and customers were forced to re-authorise API access following the credential rotation.

The criminal extortion group ShinyHunters claimed responsibility on its dark-web leak site, alleging it had stolen 3.65 TB of data tied to as many as 275 million users across roughly 8,809 schools, universities and online education platforms. Compromised data, per Instructure, included names, email addresses, student identifiers and user messages. The company has stated that passwords and financial data were not involved. ShinyHunters set a public extortion deadline of 6 May 2026.

ShinyHunters’ spring 2026 campaign now spans Wynn Resorts, Pitney Bowes, Carnival, Mytheresa, Vercel, Medtronic, Vimeo and Instructure. The Salesforce-OAuth pivot pattern downstream of the Salesloft/Drift compromise has fitted most victims, but early reporting on Instructure points to a vulnerability-led entry rather than the OAuth-token reuse seen elsewhere in the cluster.

A deep-dive will follow once Instructure publishes a technical post-mortem identifying the access path, the data taxonomy is independently corroborated, and the negotiation outcome is publicly documented. The early defender lens is the multi-tenant question: Canvas hosts course material, gradebooks and student messages for thousands of institutions on shared infrastructure, and the breach raises whether per-tenant isolation in a shared LMS is architecturally enforced or only contractually asserted.