More than 40 percent of colleges and universities use Canvas.
Photo illustration by Justin Morrison/Inside Higher Ed | SuperCubePL/iStock/Getty Images
The higher education sector got another reminder over the weekend that it remains a prime target for cybercriminals.
Hackers who have stolen data from Ticketmaster, Google and several high-profile universities kicked off the month of May by breaching Instructure; the education technology company owns the nation’s most popular learning management system, Canvas, which is used by 41 percent of higher education institutions across North America to deliver courses.
The criminal extortion group ShinyHunters—which has also been linked to recent data breaches at the University of Pennsylvania and Princeton and Harvard Universities—claimed its attack on Instructure affected nearly 9,000 schools worldwide (including a mix of K–12 and higher education institutions) and compromised the personal identifying information of 275 million people, including students, teachers and staff.
While Instructure says it has contained the attack, experts say it points to the added value cyberattackers see in going after third-party vendors instead of individual institutions.
“This breach follows a clear pattern we’ve been watching for the last 18 months,” said Doug Thompson, chief education architect and director of solutions engineering for Tanium, a cybersecurity management company. “Instead of targeting individual campuses, attackers are moving up the data supply chain to the platforms that sit underneath thousands of institutions at once.”
This isn’t the first time ShinyHunters has victimized education-technology vendors. Last fall, hackers linked to the group breached Salesforce and claimed theft of some one billion customer records across dozens of companies—including Instructure, which has 8,000 partner institutions. In March, ShinyHunters infiltrated Infinite Campus, a widely used K–12 student information system. And in April, it took credit for accessing internal data at the publisher McGraw Hill.
“It’s the math of a bank robber who just figured out where the armored truck stops. Why hold up a hundred branches when the truck visits all of them? The real risk now is downstream,” Thompson said. “With access to real names, email addresses and even teacher-student messages, the next wave of phishing will not be generic. It will reference real courses and real conversations, which makes it far more likely to succeed.”
‘PAY OR LEAK’
It’s not clear exactly how ShinyHunters hacked into Instructure, but late last week Canvas users started reporting disruptions to their authentication keys. And soon after, Instructure got word from ShinyHunters: “PAY OR LEAK.”
If Instructure didn’t pay up, it could anticipate a leak of “Several billions of private messages among students and teachers and students and other students involved, containing personal conversations and other [personal identifying information],” ShinyHunters wrote in a ransom letter published May 3 by the website Ransomware.live, which tracks and monitors ransomware groups’ victims and their activity. The hackers told Instructure “to reach out by 6 May 2026 before we leak along with several annoying [digital] problems that’ll come your way,” warning the company to “make the right decision” to avoid becoming “the next headline.”
While Instructure did not respond to Inside Higher Ed’s requests for comment on the ransom and other specific questions about the attack, it pointed to a log of status updates authored by Steve Proud, Instructure’s chief information security officer. On Friday, Proud confirmed that the breach was “perpetrated by a criminal threat actor” and said the company was “actively investigating this incident with the help of outside forensics experts.”
The next day, Proud wrote that Instructure believed it had contained the attack and had taken measures to revoke privileged credentials and access tokens associated with affected systems, deployed patches to enhance system security, rotated certain keys—“even though there is no evidence they were misused”—and implemented increased monitoring across all platforms.
“While we continue actively investigating, thus far, indications are that the information involved consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users,” he wrote. “At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved. If that changes, we will notify any impacted institutions.”
That tracks with reporting by the news outlet Tech Crunch, which viewed a sample of stolen data from a university in Tennessee and another in Massachusetts provided by ShinyHunters. According to the outlet, the sample data included messages containing names, email addresses and some phone numbers but “did not contain passwords or the other types of data that Instructure said was unaffected by the breach.”
‘Rich Targets’
Instructure appears to be restoring its systems. As of the most recent update posted Monday, Proud wrote that Canvas Data 2 and Beta “should now be available for all customers,” while another version of the LMS, Canvas Test, remains under maintenance.
Still, the incident served as a warning for the sector.
“The Canvas breach is a reminder that no platform is immune: There are countless widely used systems that remain attractive targets for sophisticated bad actors, including nation-states,” said Anton Dahbura, executive director of the Johns Hopkins University Information Security Institute. “Educational platforms are particularly rich targets given the concentration of personal, financial and international student data.”
What’s especially troubling about the Canvas breach is that it reveals how “even organizations that do the right things can still be exposed through trusted vendors,” he added. “We need a systemic approach to cybersecurity. Stronger defenses, better supply-chain accountability and a recognition that data breaches are not isolated events, but part of a broader strategic threat landscape.”
