Instructure Takes Canvas Offline After 3.75‑TB Breach Claimed by ShinyHunters

Context On May 7, Instructure’s security team detected unauthorized access across multiple Canvas instances and ordered a full server shutdown to contain the incident. Service was restored the same day after verification that no active threat remained. The action affected all institutions using Canvas, including Trinity Information Technology Services, which confirmed its own data was not accessed.

Key Facts Universities involved in the incident have disclosed that approximately 3.75 terabytes of data were exfiltrated from Canvas‑using environments. The ShinyHunters group posted a claim of responsibility, referencing its 2020 campaign that stole over 200 million records from thirteen companies. The group demanded payment by May 12 and threatened to publish the stolen data if unpaid.

What It Means While Instructure has not disclosed the exact attack vector, the rapid shutdown and same‑day restoration suggest a containment‑focused response rather than a prolonged outage. Defenders should treat this as a reminder to monitor for large‑scale data exfiltration, enforce multi‑factor authentication on all cloud‑service accounts, and review third‑party integrations for excessive permissions. Recommended mitigations include applying the latest patches for any known Canvas‑related vulnerabilities (e.g., CVE‑2023‑XXXX if disclosed), implementing detection rules for MITRE ATT&CK techniques T1078 (Valid Accounts), T1041 (Exfiltration Over Command and Control), and T1566 (Phishing), and conducting regular reviews of outbound traffic thresholds to catch anomalous transfers. Institutions should also verify that backup copies are isolated and test restoration procedures.

Watch for any follow‑up extortion notices, potential public leaks of the claimed data, and Instructure’s post‑incident report detailing root cause and long‑term hardening measures.