Instructure Reaches Agreement to Prevent Future Data Leaks with ShinyHunters

Post Views: 139

Cybersecurity Breach Hits Instructure’s Canvas Learning Management System

Instructure, the parent company of the widely-used Canvas learning management system (LMS), recently announced a significant cybersecurity breach. On May 12, 2026, the company revealed that the ShinyHunters cybercrime group had accessed over 3.6 terabytes of uncompressed data from their systems.

Breach Details

The breach occurred through a security issue in the Free-for-Teacher environment, a limited version of the Canvas LMS designed for individual educators.
ShinyHunters exploited this vulnerability to gain unauthorized access to sensitive data and subsequently hacked into Instructure’s systems again on May 7.
The group defaced Canvas login portals and demanded a ransom from the company and its customers.

According to Instructure, “no customers will be extorted as a result of the incident.” However, the company warned that paying a ransom does not guarantee that threat actors will not sell the stolen data to other cybercriminals or attempt to extort the victims again.

ShinyHunters claimed responsibility for the breach and boasted about the massive amount of data they had stolen. The group also took credit for exploiting multiple cross-site scripting (XSS) vulnerabilities in the Canvas system, allowing them to inject malicious JavaScript code and gain privileged access to the affected systems.

Precautions Taken

Instructure has temporarily shut down Free-For-Teacher accounts and is working to resolve the underlying security issues.
The company has also taken steps to mitigate the damage and prevent similar incidents from occurring in the future.

This is not the first time ShinyHunters has targeted Instructure. In September 2025, the group claimed responsibility for a separate breach that allowed attackers to access data in Instructure’s Salesforce instance. ShinyHunters has also been linked to several other high-profile breaches, including those at Google, Cisco, Pornhub, the European Commission, Match Group, Rockstar Games, ADT, Vimeo, McGraw-Hill, Medtronic, and Zara.

Conclusion

The incident serves as a reminder of the importance of robust cybersecurity measures and the need for companies to prioritize the protection of their systems and customer data.