Ohio State University Restores Canvas Access After Free-for-Teacher Breach Exposes Student Data

TL;DR: Ohio State University regained access to its Canvas learning platform on May 8 after a breach of Instructure’s Free-for-Teacher tool exposed names, email addresses, and student IDs for thousands of users across nearly 9,000 institutions worldwide.

Context The breach originated in Instructure’s Free-for-Teacher service, a no‑cost tier that lets educators build courses without a campus subscription. Attackers exploited a vulnerability in this component on April 29 and again on May 7, gaining unauthorized access to the underlying Canvas environment. Ohio State officials confirmed that access to CarmenCanvas was restored on May 8, though personal data had already been exfiltrated.

Key Facts - The compromised data included names, email addresses, and student ID numbers; Instructure stated there was no evidence that passwords, birth dates, government identifiers, or financial information were taken. - The incident affected nearly 9,000 educational institutions globally, spanning K‑12 schools, colleges, and universities. - Threat actor group ShinyHunters claimed responsibility, though independent attribution has not been verified by law enforcement. - Instructure responded by suspending Free-for-Teacher accounts, engaging a third‑party forensic firm, and coordinating with the FBI, CISA, and international partners to investigate and harden the platform.

What It Means The breach highlights risks associated with freemium service tiers that may receive less rigorous security scrutiny than paid offerings. Organizations using Canvas should immediately review any Free-for-Teacher integrations, disable unused accounts, and enforce multi‑factor authentication for all administrative and educator accounts. Security teams should monitor for MITRE ATT&CK techniques T1190 (Exploit Public‑Facing Application) and T1078 (Valid Accounts) in logs, and apply the latest Instructure security advisories that address the Free-for-Teacher vulnerability. Defenders should also implement network‑level segmentation for learning‑management systems and conduct regular third‑party risk assessments.

Watch for Instructure’s post‑mortem report, any forthcoming CVE assignments related to the Free-for-Teacher flaw, and updates from the FBI or CISA on the investigation’s progress.