Safeguard
Data Breach

Instructure Canvas Breach (May 2026): Up to 275M Records and a Quiet Settlement

ShinyHunters claimed 3.65 TB and 275 million records from Instructure's Canvas LMS across ~9,000 schools. Instructure confirmed names, emails, student IDs, and user messages were taken, then reportedly paid to make it stop.

Safeguard Research Team
Threat Intelligence
10 min read

In late April 2026, Canvas, the learning management system operated by Instructure and used by thousands of schools and universities, suffered a breach that became one of the most disruptive education-sector incidents of the year. The intrusion was bad enough on its own. What made it a case study was the response: a defaced login page during finals week, a multi-day silence, and then a May 11 statement in which Instructure apologized for its lack of transparency and said it had "reached an agreement" with the attacker under which the stolen data was destroyed. Terms were not disclosed; unconfirmed reporting put the figure at roughly $10 million.

The numbers are still contested. The extortion group ShinyHunters claimed it stole approximately 275 million user records totaling 3.65 terabytes across roughly 9,000 institutions worldwide, including private messages between students and teachers. Instructure has confirmed a narrower set: names, email addresses, student ID numbers, and messages among users were involved, while stating it found no evidence that passwords, dates of birth, government IDs, or financial information were taken. As of mid-May, the full 275 million figure had not been independently verified.

Canvas matters here because it is multi-tenant SaaS at civic scale. A single provider sits between hundreds of millions of students, teachers, and staff. When the provider is breached, the blast radius is not one organization, it is an entire sector. This post walks the verified timeline, the reported entry vector, and what SaaS-dependent organizations, especially in education, should take from it.

TL;DR

  • What happened: Canvas LMS (Instructure) was breached in late April 2026; disclosed publicly May 1, defaced May 7, settlement announced May 11.
  • Claimed scope (ShinyHunters, unverified): ~275 million records, 3.65 TB, ~9,000 institutions, including student-teacher messages.
  • Confirmed scope (Instructure): Names, email addresses, student ID numbers, and user-to-user messages.
  • Confirmed NOT taken (Instructure): Passwords, dates of birth, government IDs, financial information, per the company.
  • Reported entry vector: An issue related to Canvas "Free-For-Teacher" accounts, per Instructure's investigation.
  • Response: Instructure apologized for poor transparency and said it reached an agreement under which data was destroyed; unconfirmed ~$10M payment.
  • Key action: Treat your LMS and other civic-scale SaaS as a single point of sector-wide failure; demand tenant-isolation, message-data minimization, and breach-clock commitments from the vendor.

What happened

The verified timeline, drawn from Instructure's incident page and contemporaneous reporting:

  • April 25, 2026: Unauthorized actors accessed Canvas systems.
  • April 29, 2026: Instructure detected the intrusion and revoked unauthorized access, engaging third-party forensics.
  • May 1, 2026: Instructure disclosed the incident on its status page.
  • May 7, 2026 (~1:20 PM PDT): Students discovered defaced Canvas login pages carrying extortion messaging; the incident reached wide public attention during finals week.
  • May 11, 2026: Instructure apologized for its lack of transparency and stated it had reached an agreement with the unauthorized actor under which the compromised data was destroyed.
  • May 13, 2026: A class action was filed in San Diego.

Separating reported from claimed is essential here:

  • Confirmed by Instructure: Names, email addresses, student ID numbers, and messages among users were involved. No evidence (per Instructure) that passwords, dates of birth, government IDs, or financial information were taken. The investigation attributed the exposure to an issue related to Free-For-Teacher accounts.
  • Claimed by ShinyHunters (unverified): ~275 million records, 3.65 TB of data, ~9,000 institutions, and possession of student-teacher private messages.
  • Unconfirmed reporting: A payment of roughly $10 million in exchange for data destruction.

A vendor's claim that data was "destroyed" after a payment is not verifiable and should not be treated as remediation. There is no way to confirm an extortion group deleted every copy. Affected institutions should plan as though the data persists.

How the attack worked

Instructure attributed the exposure to "an issue related to its Free-For-Teacher accounts." Free-For-Teacher (FFT) is Canvas's no-cost, self-service tier that lets any teacher create an account and course space without going through a paying institution's provisioning. That design choice is the most likely seam.

The risk profile of a self-service free tier inside a multi-tenant platform is specific:

# Why a free self-service tier is a high-value seam in multi-tenant SaaS.
# Illustrative reasoning, not a confirmed exploit path for Canvas.

- Self-signup        -> minimal identity verification at account creation
- Shared platform    -> FFT accounts run on the same code/data plane
                        as paid institutional tenants
- Broad surface      -> millions of low-trust accounts widen the
                        authenticated attack surface
- Cross-tenant risk  -> any flaw that lets one tenant read another's
                        objects becomes catastrophic at this scale

If a flaw in the FFT path, an authorization gap, an enumeration weakness, or a provisioning bug, allowed access beyond the intended tenant boundary, the consequence in a platform serving hundreds of millions of users is enormous. Instructure has not published the technical specifics, so the exact mechanism remains unconfirmed. What is confirmed is the category: a problem rooted in the free, self-service account tier that shares infrastructure with paying institutions.

The structural lesson does not depend on the exact bug. In multi-tenant SaaS, the security of the most-privileged tenant is bounded by the security of the least-trusted account on the same data plane. A free tier with weak identity assurance and shared infrastructure is a soft entry point into a hard target.

What detection looks like

For a SaaS provider operating at this scale, and for customer institutions trying to detect misuse of their own Canvas tenant, the useful signals are:

  • Cross-tenant object access. Any code path or API call where an account scoped to tenant A reads objects owned by tenant B. This should be alertable at the platform level and is the single most important signal for multi-tenant breaches.
  • Anomalous read volume from low-trust accounts. A self-service free account reading message or roster data at a rate inconsistent with a single teacher's classroom.
  • Bulk message/roster extraction. Large exports of Conversation, Enrollment, or user-profile data, especially from API clients rather than the web UI.
  • New API integrations on institutional tenants. Unexpected developer keys or OAuth grants created on an institution's Canvas instance.
  • Login-page integrity monitoring. The May 7 defacement was visible to students before it was clearly communicated by the vendor. File-integrity and content monitoring on auth pages catches defacement fast.

Customer institutions are largely dependent on the provider's telemetry here, which is itself the problem. Most schools cannot see cross-tenant access inside Canvas; they can only see their own tenant. That visibility gap is why vendor security commitments matter more than customer-side detection for civic-scale SaaS.

What to do Monday morning

For institutions and any organization dependent on a single large SaaS provider:

  1. Assume student-teacher messages are public. Instructure confirmed user messages were involved and a payment does not guarantee deletion. Brief staff and students that message contents may surface; advise against assuming privacy of historical conversations.
  2. Rotate what you control. Student ID numbers exposed in the breach are identifiers used elsewhere in your systems; review where they grant access or appear in URLs and tighten accordingly. Reset any institution-managed API keys and developer tokens on your Canvas tenant.
  3. Audit your own tenant's integrations. List every LTI tool, developer key, and OAuth grant on your Canvas instance and remove ones you cannot account for.
  4. Demand the post-incident report. As a customer, request Instructure's root-cause and remediation detail in writing, specifically how Free-For-Teacher accounts are now isolated from paid tenants.
  5. Watch for student-targeted phishing. Name plus email plus student ID is a strong phishing kit. Warn your community to expect fake "Canvas account recovery" and grade-related lures.
  6. Re-evaluate message-data retention. If your LMS stores years of student-teacher messages, ask whether it should. Data not retained cannot be stolen.
  7. Update your vendor risk file. Record Instructure's transparency timeline (disclosed May 1, defaced May 7, settlement May 11) for your next contract negotiation and your TPRM scoring.

Why this keeps happening

Multi-tenant SaaS concentrates risk by design. The same architecture that lets one provider serve 9,000 schools cheaply also means one breach can touch all of them. The education sector amplifies this: budgets are thin, security teams are small, and a handful of platforms (LMS, SIS, assessment) hold the records of an entire generation. When the provider is the single point of failure, customer-side controls cannot compensate.

The Free-For-Teacher dimension is the recurring SaaS anti-pattern: a low-friction free tier bolted onto a high-value paid platform, sharing the same data plane. Free tiers exist for growth, and growth teams optimize for sign-up friction, not identity assurance. The result is millions of weakly-verified accounts living next to institutional data. Any cross-tenant flaw becomes sector-wide.

The response pattern is its own problem. Disclosing late, communicating only after public defacement, and resolving via a quiet payment for unverifiable "data destruction" trains the market that extortion works and leaves customers unable to assess their true exposure. Paying does not restore confidentiality; the data was already copied. It buys a promise from a criminal group, which is not a control.

The structural fix

For organizations that depend on civic-scale SaaS, the realistic lever is not preventing the provider's breach, it is reducing your own blast radius and choosing vendors whose architecture and disclosure posture limit cross-tenant and cross-customer spread. That means insisting on tenant isolation guarantees, message-data minimization, customer-visible audit logs, and contractual breach-notification clocks.

Safeguard's third-party and SaaS posture tooling helps on the side a customer can control. TPRM scoring tracks each critical vendor's disclosure history, time-to-notify, and architectural risk factors such as shared free tiers, downgrading providers whose past incidents show slow or opaque communication, exactly the Instructure pattern. The integration and supply-chain map enumerates every LTI tool, developer key, and OAuth grant attached to your own SaaS tenants so an unaccounted-for integration is a finding, not a surprise. Policy-as-code can block new high-scope integrations from being added to a sensitive tenant without review. None of this prevents a provider-side breach, but it shrinks what one provider's failure can reach inside your environment and gives you the vendor-risk evidence to push for better.

What we know we don't know

  • The real record count. Instructure confirmed categories of data, not totals. The 275 million figure is ShinyHunters' unverified claim.
  • The exact FFT flaw. Instructure cited "an issue related to Free-For-Teacher accounts" without publishing technical detail. The precise authorization or provisioning weakness is unconfirmed.
  • Whether data was actually destroyed. Instructure's statement rests on the attacker's word. There is no independent verification.
  • The payment. The reported ~$10 million figure is unconfirmed; Instructure has not disclosed the terms.
  • Per-institution scope. Which of the ~9,000 named institutions were actually affected, and how, is not publicly enumerated.

References

Internal Safeguard resources:

instructurecanvasdata-breachshinyhunterssaasedtechmulti-tenantmay-2026
Back to all articles

Related articles in Data Breach

Data Breach

Carnival Data Breach (May 2026): 5.99M Records Lost via Salesforce Social Engineering

Carnival confirmed a breach affecting nearly 6 million people on May 28, 2026, after an attacker socially engineered an employee into granting access to its IT environment. Here is the verified chain and what defenders should do.

May 28, 2026Read
Data Breach

Odido Telecom Breach: 6.2M Dutch Customers, Salesforce, and No Compensation (May 2026)

Odido, the Netherlands' largest mobile operator, exposed 6.2 million customers' data, including IBANs and ID details, via a vishing-driven Salesforce intrusion. In May 2026 the company ruled out compensation as mass claims mounted.

May 12, 2026Read
Data Breach

Škoda Auto Online Shop Breach (12 May 2026): An E-Commerce Software Flaw and the Credential-Reuse Tail

Škoda Auto disclosed on 12 May 2026 that attackers exploited a vulnerability in its German online shop to steal customer names, contact details, order data, and login credentials. The card data was safe; the credentials are the part that keeps paying out.

May 12, 2026Read

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.