Canvas Attackers Compromise 275M Students, Teachers, and Staff

Canvas Attackers Compromise 275M Students, Teachers, and Staff

Instructure confirmed a cybersecurity incident affecting Canvas, where threat actors accessed user data including names, email addresses, student ID numbers, and messages, while ShinyHunters later claimed responsibility and threatened to leak the stolen information unless paid. The breach highlights the heightened risk facing educational institutions and the likelihood of follow-on phishing and impersonation attacks using the exposed data. #Canvas #Instructure #ShinyHunters #Salesforce

Keypoints

  • Instructure, the company behind Canvas, confirmed a cybersecurity incident on May 1, 2026.
  • By May 2, Instructure said it had contained the event and taken defensive steps such as revoking privileged credentials, rotating tokens and application keys, patching systems, and increasing monitoring.
  • Data accessed in the incident included names, email addresses, student ID numbers, and messages exchanged within Canvas.
  • ShinyHunters later claimed responsibility and added Instructure to its dark web extortion site, demanding payment to prevent release of stolen data.
  • The attack is consistent with ShinyHunters’ use of social engineering, especially voice phishing, and may also relate to prior targeting of Instructure’s Salesforce environment.
  • The breach may affect millions of users across K–12 schools, universities, corporate environments, and thousands of institutions worldwide.
  • Stolen data creates strong downstream risk for phishing, impersonation, credential theft, and financial scams aimed at students, faculty, and administrators.

MITRE Techniques

  • [T1598.003 ] Phishing for Information: Voice Phishing – Threat actors are described as using vishing to gain access by manipulating victims over the phone (‘the group is known for relying on social engineering techniques, particularly voice phishing (vishing), to gain initial access’).
  • [T1566 ] Phishing – The stolen names, emails, IDs, and messages can be used to create convincing follow-on phishing lures (‘attackers can craft convincing communications that appear legitimate’).
  • [T1134 ] Access Token Manipulation – Instructure rotated tokens and application keys after the incident, indicating these credentials were involved in defensive response to potential compromise (‘rotating tokens and application keys’).
  • [T1098 ] Account Manipulation – Privileged credentials were revoked as part of containment, reflecting the security impact on accounts (‘revoking privileged credentials’).
  • [T1078 ] Valid Accounts – The attack discussion centers on compromised credentials and access to connected systems, suggesting abuse of legitimate accounts (‘When attackers successfully gain access—whether through social engineering or compromised credentials’).
  • [T1190 ] Exploit Public-Facing Application – The breach context includes access through interconnected cloud services and third-party integrations, including Salesforce (‘targeting its Salesforce environment using social engineering’).
  • [T1589.002 ] Gather Victim Identity Information: Email Address – Email addresses were among the exposed data and can support impersonation and targeting (‘institutional email addresses’).
  • [T1036 ] Masquerading – Attackers may impersonate professors or administrators using the exposed data to appear legitimate (‘When attackers can convincingly mimic known individuals, like professors or administrators’).

Indicators of Compromise

  • [Organization names ] affected vendor and claimed attacker – Instructure, ShinyHunters
  • [Platform / service ] breached and discussed environment – Canvas, Salesforce
  • [Data types ] exposed user and institutional data – names, email addresses, student ID numbers, messages exchanged within Canvas
  • [Scale / volume ] claimed exfiltration size and scope – 3.65 terabytes of data, 275 million individuals
  • [Affected institutions ] examples of impacted organizations – Harvard, Stanford, MIT, and 9,000 schools plus 15,000 institutions


Read more: https://www.varonis.com/blog/canvas-attackers-compromise-students-teachers-and-staff