Instructure's Canvas LMS Faces Dual Cyberattacks by ShinyHunters

Instructure's Canvas LMS Faces Dual Cyberattacks by ShinyHunters

First seen 15 May 2026, 16:27 UTC ScworldDarkreadingwww.cybersecuritydive.comwww.instructure.comwww.silverfort.com 88% similarity 66.0

Article Content

Browse articles
ThreatCluster

Instructure's Canvas learning management system was compromised twice by the ShinyHunters cybercriminal group in May 2026, affecting over 30 million students across 9,000 educational institutions. The initial breach occurred on April 29, 2026, leading to the exposure of user data, including names and emails. Instructure claimed to have resolved the issue by May 6, but a subsequent attack on May 7 resulted in a ransom demand and the threat of releasing 3.65 terabytes of sensitive data. The House Committee on Homeland Security has requested Instructure's CEO to testify regarding the incidents and the company's cybersecurity measures. Lawmakers are particularly concerned about the company's ability to manage vulnerabilities and the potential ransom payment. The second attack exploited cross-site scripting (XSS) vulnerabilities, raising alarms about the security of educational technology platforms. Instructure stated that no customers would be extorted as a result of the incident, claiming that the stolen data was returned.

Key Points: • Instructure's Canvas LMS was hacked twice by ShinyHunters, impacting 30 million students. • The first breach revealed user data, while the second attack involved a ransom demand. • Lawmakers are investigating Instructure's cybersecurity response and vulnerability management.

ThreatCluster AI

Timeline

2026-04-29
First breach of Canvas LMS reported
ShinyHunters compromised Canvas, exposing user data including names and emails.
Scworld
2026-05-01
Instructure discloses initial breach
Instructure acknowledged that threat actors obtained certain identifying information of users.
Darkreading
2026-05-06
Instructure claims breach resolved
Instructure declared the initial breach resolved and Canvas fully operational.
Darkreading
2026-05-07
Second attack and ransom demand issued
ShinyHunters returned and posted a ransom demand on Canvas login pages, threatening to release data.
Scworld
2026-05-11
House Committee requests Instructure CEO to testify
Rep. Andrew Garbarino sent a letter requesting CEO Steve Daly to appear before the committee by May 21.
Scworld
2026-05-14
Congressional inquiry into Instructure's cybersecurity
The House Committee on Homeland Security raised concerns about Instructure's incident response and security measures.
Darkreading

Community

Browse all →