ShinyHunters Breaches Instructure Canvas LMS via Free Teacher Accounts

In early May 2026, educational technology company Instructure confirmed a significant data breach affecting its widely used Canvas learning management system.

Security teams detected unauthorized activity in the platform, prompting an urgent investigation that revealed attackers had successfully exploited the Free-For-Teacher account program.

The exposure window lasted from the end of April through the first week of May. During that time, the attackers accessed sensitive student and faculty information.

The notorious threat group known as ShinyHunters claimed responsibility for the incident. Subsequently, it launched a public extortion campaign with a mid-May ransom deadline.

This incident marks the second time ShinyHunters has targeted Instructure in the past eight months, following a prior attack on the company’s Salesforce business systems in late 2025.

The previous incident relied heavily on social engineering to access peripheral corporate infrastructure.

However, the May 2026 breach represents a direct and severe compromise of the core Canvas platform itself.

Instructure confirmed that the exposed platform data includes user names, institutional email addresses, student identification numbers, and private messages sent between Canvas users.

ShinyHunters Breaches Canvas LMS

The Canvas breach highlights the profound architectural risks inherent in multi-tenant software-as-a-service environments where free and paid tiers share identical back-end infrastructure.

Free-For-Teacher accounts operate as production Canvas tenants, designed with lower-friction onboarding that explicitly allows educators to bypass formal institutional verification.

Despite implementing standard logical isolation measures, these unverified free accounts ran on the same underlying systems and databases as paid enterprise tenants.

When the attackers exploited an unspecified vulnerability or verification gap within the free account tier, the fundamental isolation model failed, granting unauthorized lateral access to highly sensitive production course data.

According to Bitdefender research, the most prominent downstream threat for educational institutions is highly targeted spear-phishing campaigns.

Times Higher Education flagged this dynamic as a severe operational risk, noting that threat actors can weaponize stolen private messages and authentic student identification numbers to craft exceptionally convincing deception lures.

A malicious email that accurately references specific course materials or directly quotes a private instructor message establishes a false sense of credibility that easily bypasses standard user suspicion and automated email filters.

Indicators of Compromise

Indicator Type	Data	Description
URL	hxxp:// 91[.]215[.] 85[.]103/ pay_or_leak / instructure _affected_s chools_list [.]txt	ShinyHunters public listing of affected institutions (defanged — access only from sandboxed environment)
URL	hxxp[:]// shinypogk4j jniry5qi724 7tznop6mxdr dte2k6pdu5c yo43vdzmrwi d[.]onion/	ShinyHunters public data leak site (defanged – access only from sandboxed environment, must use Tor or similar browsers)

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post ShinyHunters Breaches Instructure Canvas LMS via Free Teacher Accounts appeared first on Cyber Security News.