Cybersecurity Incident at Instructure and Its Impact on the Canvas Platform

In late April and early May 2026, the global education sector was hit by a cybersecurity incident that disrupted online learning infrastructures. The vulnerability was first detected internally by the technology provider Instructure on April 25. During this period, which coincided with final exam season, the cyberattack paralyzed routine services at thousands of campuses and sparked international alarm over the massive exposure of confidential records.
The cyberattack was carried out by the notorious cyber extortion group ShinyHunters, which managed to breach Instructure’s production systems and compromise the Canvas platform. The attack affected some 9,000 elementary and secondary schools, as well as prestigious universities worldwide, putting the personal and identifying information of more than 200 million students and teachers at risk. The stolen data included full names, email addresses, student ID numbers, and billions of private messages exchanged within the system, although the company clarified that passwords and financial information remained secure. Faced with the attackers’ hijacking of Canvas login screens to demand a ransom, academic institutions were forced to enforce forced logouts, implement emergency login alternatives, and alert their communities to potential phishing scams. 
The critical and immediate situation of operational paralysis has now been resolved following the restoration of service and the intervention of federal law enforcement agencies such as the FBI. Instructure issued an official statement confirming that they reached an agreement with the attackers before the May 12 deadline expired, securing the recovery of the data and verifiable digital evidence of the cybercriminals’ complete destruction of the stolen records.