Canvas Hack: Specific Account Type Breach Exposed

The notorious hacking collective ShinyHunters recently announced that it successfully disrupted a prominent education platform not just once, but twice within a few weeks. This data breach could not have occurred at a more inopportune moment, particularly for students and teachers, as it coincided with school finals across many affected institutions, exacerbating the stress and urgency of the academic schedule.

On April 30, Instructure, the edtech company responsible for the widely used Canvas Learning Management System (LMS), experienced a temporary shutdown. The following day, Instructure confirmed that a “criminal threat actor” was indeed accountable for the significant data breach into their systems, raising alarms about the safety of user information.

ShinyHunters reported that they managed to steal data from approximately 275 million Canvas users across nearly 9,000 schools worldwide. This compromised data includes information about students, teachers, and staff. While it is fortunate that no passwords or highly sensitive data were stolen, the information taken remains substantial. The hackers claimed to have accessed usernames, email addresses, student IDs, and private messages exchanged on the platform. Alarmingly, some of the affected users are underage students.

Mashable 101 Fan Fave: Vote for your favorite creator today!

In the aftermath of the initial breach, Instructure quickly took action. The company confirmed that it had revoked access for the malicious actors, implemented measures to rectify the vulnerabilities, and successfully restored Canvas to operational status, thereby ensuring that the platform was secure for its users.

However, just a week later, ShinyHunters claimed it hit Canvas again. This time, the hackers targeted school-specific login pages for the platform, defacing them with messages threatening to publicly disclose the stolen data from the earlier breach unless Instructure agreed to “negotiate a settlement,” effectively putting more pressure on the company.

The demand for monetary compensation from ShinyHunters was not unexpected. This ransomware group is notorious for extorting victims following data breaches. The occurrence of a second breach at Instructure, however, surprised many. Once more, Canvas went offline, and when it returned, the company had taken decisive action to eliminate the source of the second incident: Free-For-Teacher accounts.

According to a newly updated incident page on Instructure’s website, the company disclosed that it “identified a vulnerability regarding support tickets in our Free for Teacher environment that was exploited,” highlighting the ongoing security challenges faced by educational platforms.

“We temporarily disabled Free for Teacher while we complete a full security review,” the company stated. “We understand that this is disruptive, and we did not make that decision lightly. However, ensuring the security of the entire Canvas platform must be our top priority,” emphasizing their commitment to user safety and system integrity.

Despite the second breach not resulting in any further stolen data, the timing of this security incident was particularly unfortunate for students, as many schools were in the midst of finals and other critical deadlines for end-of-year coursework.

As PCMag reports, “students and professors struggled to access the online platform used to submit assignments and tests,” creating significant hurdles for academic progress. (Disclosure: PCMag and Mashable are both owned by the same parent company, Ziff Davis.)

Data provided to Mashable from Alliance Risk Trends indicated that Google searches for terms like “canvas hacked” and “canvas down” surged roughly 1,000 percent just last Friday. The combined search volume for queries related to the Canvas security incidents and subsequent downtime surpassed 1 million, reflecting widespread concern among users.

Numerous readers reached out to Mashable to share their experiences. One parent of a student at Seton Hall University forwarded an email from the school that was sent during the Canvas outage.

“We understand that the timing of this is challenging,” the school’s email to students conveyed. “Finals are currently underway, coursework is due, and the Canvas platform being offline at this moment is genuinely disruptive,” highlighting the profound impact of these technical difficulties on academic schedules.

Some institutions, like Baylor University in Texas, even postponed final exams specifically due to challenges accessing Canvas.

“With Canvas down at the national level, Baylor University will delay final exams scheduled for tomorrow (Friday, May 8, 2026),” the school announced in an official statement, demonstrating the wide-reaching consequences of the breach.

Canvas has since returned to operational status. However, the looming deadline set by ShinyHunters to negotiate a “settlement” and the potential release of stolen data on May 12 still casts a shadow over the platform’s future.

Want to learn more about maximizing your tech experience? Sign up for Mashable’s Top Stories and Deals newsletters today.