ShinyHunters Breached Instructure for the Second Time, and This Time They Paid
Instructure, the company behind the Canvas learning management system, reached an agreement with the ransomware group ShinyHunters on May 12th 2026, after attackers exfiltrated more than 3.6 terabytes of data from its platform and defaced login pages at multiple universities. The deal, which Instructure carefully did not call a ransom payment, covered all 8,000+ institutions on the platform, sparing individual schools from having to negotiate on their own.
It was at least the second time ShinyHunters had targeted Instructure. In September 2025, the group breached the company’s Salesforce environment through social engineering, accessing peripheral business contact data. At the time, Instructure confirmed no Canvas product or student data was touched. Eight months later, the attackers came back through a different door entirely.
How the Breach Happened, XSS Flaws, and Hijacked Admin Sessions
On April 29th, ShinyHunters exploited cross-site scripting (XSS) vulnerabilities in Canvas’s Free-for-Teacher environment, a free tier that shares the same underlying infrastructure as institutional deployments. By injecting malicious JavaScript into user-generated content features, the attackers intercepted authenticated admin sessions and gained privileged access across the environment.
It was later confirmed multiple XSS flaws were involved, present in areas where users can create and submit content. The group claims to have exfiltrated over 3.6 terabytes of data, including usernames, email addresses, course names, enrollment records, and private messages.
The May 7th Re-Attack, Login Page Defacements, and a Ransom Deadline
On May 7th, using the same vulnerability as in the initial intrusion, ShinyHunters returned and defaced Canvas login portals at multiple institutions. At the University of Texas San Antonio, students and faculty attempting to log in were met with an extortion message: open ransom negotiations by May 12th or the stolen data would be published.
Instructure publicly confirmed the defacements, restored Canvas, and recommended customers monitor their environments for anomalies. The company also suspended all Free-for-Teacher accounts, the entry vector in the most recent incident, while working to address the underlying vulnerabilities.
Data Returned, All Customers Covered
On May 12th, the day of the deadline, Instructure announced it had reached an agreement with ShinyHunters. The group reportedly returned the stolen data, provided shred logs confirming its destruction, and gave assurances that no customers would be individually extorted. Individual schools and universities would not need to negotiate separately.
ShinyHunters subsequently removed Instructure’s entry from its data leak site, the typical signal that a victim has paid. Instructure carefully avoided confirming any payment, referring to the outcome as an “agreement.” The FBI has long cautioned that paying ransoms doesn’t guarantee safety, as threat actors frequently retain copies of stolen data or return to victimize the same organization.
Current Status and What Comes Next for Instructure
Canvas is fully restored and operational. Instructure held a customer webinar on May 13th to address the incident and outline remediation steps, and has restructured its incident update page with dedicated sections for institutional customers, faculty, and students. A one-page incident summary is also available on their website.
For organizations that rely on platforms like Canvas, this incident highlights the need to strengthen vendor risk management. Security teams should conduct regular third-party assessments of critical SaaS platforms, monitor for abnormal authentication and admin activity, and ensure incident response plans explicitly cover scenarios where a vendor, not the organization itself, is the breach entry point.
The reality is that when a platform serving 30 million users gets compromised, waiting for a vendor’s post-incident webinar is too late.
Is Your Institution Prepared for Threats Like This?
Data breaches like the Canvas incident are a wake-up call for every institution. TrollEye Security’s continuous threat exposure management helps you identify risk before attackers do, so you’re never caught off guard.
