Full Report
May 12 … time is ticking for nearly 9,000 schools
Analysis Summary
# Incident Report: Double Canvas Intrusion by ShinyHunters
## Executive Summary
Instructure, the parent company of the Canvas learning management system, confirmed two distinct unauthorized intrusions occurring between April and May 2026. The threat actor, identified as ShinyHunters, exploited a vulnerability in the "Free-for-Teacher" system to exfiltrate 3.65 TB of data and deface hundreds of school login portals. The incident resulted in significant operational disruption during peak academic testing periods and the potential exposure of 275 million student and staff records.
## Incident Details
- **Discovery Date:** April 29, 2026
- **Incident Date:** April 29, 2026 – May 7, 2026
- **Affected Organization:** Instructure (Canvas LMS)
- **Sector:** Education Technology (Ed-tech)
- **Geography:** Global (Impact focused on ~9,000 schools including major US Universities)
## Timeline of Events
### Initial Access
- **Date/Time:** April 29, 2026
- **Vector:** Exploitation of a security vulnerability
- **Details:** Attackers exploited a flaw within the "Free-for-Teacher" learning system to gain unauthorized access to the Canvas environment.
### Lateral Movement
- **Details:** Following the initial breach on April 29, the attacker maintained a presence or regained entry, leading to a second wave of activity detected on May 7. The actors targeted privileged credentials and tokens to move across the platform.
### Data Exfiltration/Impact
- **Details:** ShinyHunters claims to have exfiltrated 3.65 TB of data (approx. 275 million records). On May 7, the actors defaced approximately 330 school login portals.
### Detection & Response
- **April 29:** First unauthorized activity detected; access revoked; investigation launched.
- **May 7:** Second wave of activity detected; Instructure forced Canvas into "maintenance mode" (offline) to contain the threat.
- **May 11:** Instructure publicly detailed the scope of stolen data.
- **May 12:** Final ransom deadline set by ShinyHunters for individual schools.
## Attack Methodology
- **Initial Access:** Exploitation of vulnerability in the Free-for-Teacher system.
- **Persistence:** Utilization of compromised access tokens.
- **Privilege Escalation:** Use of privileged credentials and internal keys.
- **Defense Evasion:** Not explicitly detailed, but involved two distinct phases of activity.
- **Lateral Movement:** Pivot from the Free-for-Teacher module to broader school login portals.
- **Collection:** Gathering of usernames, email addresses, course names, and enrollment info.
- **Exfiltration:** Transfer of 3.65 TB of data.
- **Impact:** Website defacement and massive operational "denial of service" by forcing the platform offline during finals/AP testing.
## Impact Assessment
- **Financial:** Potential ransom demands; costs associated with hiring CrowdStrike for forensics.
- **Data Breach:** 275 million records including usernames, emails, enrollment data, and messages.
- **Operational:** Severe disruption for 9,000 schools; loss of access to grades and course materials during final exams.
- **Reputational:** Significant damage as this is the second major breach for Instructure within a year (following a Salesforce-related incident in Sept 2025).
## Indicators of Compromise
- **Network indicators:** Unauthorized traffic originating from or directed to Free-for-Teacher API endpoints.
- **Behavioral indicators:** Mass modification/defacement of login portal HTML/CSS; unauthorized rotation or generation of access tokens.
## Response Actions
- **Containment:** Temporarily shut down all "Free-for-Teacher" accounts; took the entire Canvas platform offline into maintenance mode.
- **Eradication:** Revoked privileged credentials and compromised access tokens; rotated internal encryption keys.
- **Recovery:** Restored Canvas services by Saturday (May 10/11); restricted token creation pathways.
- **External Support:** Engaged CrowdStrike for forensic analysis; coordinated with the FBI and CISA.
## Lessons Learned
- **Segmented Risk:** A vulnerability in a "free" or peripheral service (Free-for-Teacher) can provide a foothold into the core enterprise environment.
- **Vulnerability Remediation:** The first "eviction" on April 29 was unsuccessful in closing the primary vector, allowing a second attack on May 7.
- **Timing:** Attackers maximize leverage by striking during critical business windows (Final exams/AP testing).
## Recommendations
- **Zero Trust Architecture:** Implement stricter isolation between the "Free-for-Teacher" environment and the institutional Canvas production environment.
- **Token Management:** Implement shorter lifespans for access tokens and more rigorous monitoring of token generation patterns.
- **Patch Management:** Prioritize the remediation of vulnerabilities in public-facing modules.
- **Incident Post-Mortem:** Review why the initial containment on April 29 failed to prevent the May 7 re-entry.