Canvas Breach Exposes Up to 275 Million Users, Ransom Deadline Set for May 12

Context Instructure discovered unauthorized access on April 25, 2026, and immediately revoked privileged credentials. By May 7 the service was placed in maintenance mode, confirming a serious intrusion. The timing coincided with final exams and graduation deadlines, amplifying operational disruption for institutions worldwide.

Key Facts - Experts estimate the breach could affect as many as 275 million users, spanning students, faculty and staff at institutions such as Harvard, MIT, Oxford and Duke. - Stolen records include names, email addresses, student identification numbers and private Canvas messages. No passwords, dates of birth or financial data have been confirmed as compromised. - The threat actor, a loosely organized group known as ShinyHunters, accused Instructure of ignoring early contact and applying only superficial patches. Their demand: negotiate a settlement by May 12 or face public release of the data. - ShinyHunters has a history of large‑scale data theft, previously exfiltrating millions of records from telecom, government and corporate targets. Their tactics align with MITRE ATT&CK techniques T1078 (Valid Accounts) and T1566 (Phishing), leveraging stolen credentials to move laterally within cloud environments. - The breach forced Canvas, Canvas Beta and Canvas Test into maintenance mode, halting grade submissions, exam access and communication tools for weeks.

What It Means The exposure of billions of private messages creates a fertile ground for credential‑phishing attacks. Even basic identifiers enable social engineering that can trick students into revealing passwords or financial aid information. Institutions must treat the breach as a catalyst for broader security reviews, not an isolated incident.

Mitigations – What Defenders Should Do 1. Rotate all access tokens and privileged credentials on Instructure services immediately; enforce multi‑factor authentication for all accounts. 2. Deploy detection signatures for suspicious API calls and anomalous login patterns associated with ATT&CK T1078. 3. Conduct a forced password reset for all users, prioritizing accounts with elevated privileges. 4. Apply the latest Instructure security patches and verify that they address CVE‑2026‑XXXX (the specific vulnerability exploited has not been publicly disclosed). 5. Monitor for phishing emails that reference Canvas or use stolen student data; educate students and staff on verifying sender addresses. 6. Review cloud configuration for overly permissive IAM (Identity and Access Management) policies that could allow lateral movement. 7. Prepare an incident‑response plan that includes legal counsel and communication strategies for potential data disclosure.

The deadline looms. Security teams should track any further communications from ShinyHunters and be ready to act if the threat materializes. Watch for updates on ransom negotiations and any public data dumps that could signal the next phase of the attack.