ShinyHunters' second Instructure breach — Free-For-Teacher was the seam

ShinyHunters has now claimed two compromises of Instructure inside eight months. The first was the Salesloft/Drift OAuth-token theft in September 2025, which the same actor used to pivot into the company’s Salesforce environment and exfiltrate customer-relationship data. The second, claimed on 7 May, came after Instructure had publicly told customers the first incident was contained, and was staged precisely as proof that it wasn’t. The group also pushed its leak deadline from 6 May to 12 May to give affected schools time to negotiate directly.

The technically interesting detail this time is the foothold. Per Instructure’s own statement, the 7 May intrusion ran through the Free-For-Teacher account program — a self-serve, no-validation tier of Canvas where any teacher, or anyone claiming to be one, could spin up a free instance of the platform. That tier sat inside the same production trust boundary as the paid environment used by roughly 9,000 schools, plus the Canvas-on-Canvas corporate customers reportedly including Amazon, Apple, US healthcare institutions, and a number of cities and US states. Instructure has subsequently announced it is permanently shutting the Free-For-Teacher program down. That is a clear concession that the architecture, not just the operational hygiene, was the bug.

The pattern is not specific to Instructure. Free tiers, trial environments, partner-developer sandboxes, evaluation tenants — these accumulate inside SaaS estates and quietly inherit the same database, the same internal APIs, and often the same identity surface as the paying enterprise tenants. The product organisation treats them as low-risk because the customer commitment is low. The threat actor treats them as the cheapest path into the production trust boundary. The customer paying eight figures for the platform finds out about the architectural seam in the breach notification.

A few notes on what the attack chain seems to have looked like. Reporting from Dark Reading, TechCrunch and Malwarebytes converges on the same picture: ShinyHunters used a Free-For-Teacher account, or a chain of them, to obtain the access required to modify the splash pages served to logged-in students and teachers across paid Canvas instances. A Georgia Tech student supplied screenshots of the new defacement on 7 May. Instructure took Canvas, Canvas Beta and Canvas Test offline that evening, restored service the following morning, and then announced the Free-For-Teacher shutdown. The actor’s leak-site post moved the threatened-data-publication deadline from 6 May to 12 May, with the option for individual schools to negotiate directly. The negotiation-with-the-victim’s-customers move is itself novel; it puts the leverage on the institution that has the most compliance exposure (the school) rather than on the vendor that has the cheque book (Instructure). For SaaS vendors with a federated-customer base, that is a structurally different threat model from the more familiar single-vendor extortion.

Three things worth pulling out for defenders.

First, the question to ask of any major SaaS supplier has now changed shape. Procurement-stage due diligence has historically been about controls (encryption, certifications, residency). The question that matters in 2026 is architectural: what other tiers, trial programs, sandbox tenants or self-serve flows on this platform sit inside the same blast radius as my tenant? “What’s the Free-For-Teacher equivalent on this platform?” is now a procurement-stage question, not an incident-response one. It is also a question that a lot of vendors will need to think about for the first time.

Second, extortion deadlines have stopped being one-shot. The ShinyHunters move from a 6 May to 12 May deadline, staged as a re-compromise rather than as a missed countdown, is a small but interesting evolution. Incident-response playbooks built on the assumption of single-window leverage need to be updated to handle a posture in which the actor has demonstrably retained or re-acquired access during the negotiation window. That is a different decision tree, particularly around interim public communications.

Third, this is the second major education-sector SaaS compromise in a month — Instructure on 1 and 7 May, PowerSchool earlier in the cluster — both routed through the access layer rather than through the data itself. The trust boundary in this sector has moved. The data is centralised, the access layer is fragmented, and the access layer is what the attackers are working on.

For schools running Canvas this week, the operational picture is bleak — finals being held in environments where students cannot view their grades, contact their professors or submit work. For everyone running anything on a major SaaS estate, the broader picture is the bit worth keeping. The free tier you do not pay for is somebody else’s foothold into the platform you do.