Instructure Canvas hack update: Breach involved a specific teacher account type and interrupted finals

The hacking collective ShinyHunters breached Instructure’s Canvas Learning Management System (LMS) twice in late April, causing widespread disruptions during finals for students and teachers globally. On April 30, Canvas went offline after a confirmed data breach, exposing usernames, email addresses, student IDs, and private messages of 275 million users across nearly 9,000 schools. Instructure later confirmed the breach was linked to a vulnerability in Free-for-Teacher accounts, which were temporarily disabled to contain the threat. ShinyHunters claimed responsibility for the initial breach and later defaced school login pages, threatening to leak the stolen data unless Instructure negotiated a settlement. The group had previously demanded ransom payments following other breaches. Though no sensitive data like passwords was stolen, the timing of the outage disrupted access to assignments and tests during critical exam periods. Instructure’s incident update revealed the second breach exploited a flaw in support tickets for Free-for-Teacher accounts, forcing the company to disable the feature until a full security review was completed. The company stated the decision was made to prioritize platform security, despite the disruption to users. Students and professors reported difficulties accessing Canvas to submit work, with search interest for ‘canvas hacked’ and ‘canvas down’ spiking by 1,000% in a single day. The breach affected institutions worldwide, including Seton Hall University, where students received emails acknowledging the challenges caused by the downtime. While Instructure revoked access for the attackers and restored services, the incident raised concerns about vulnerabilities in educational technology platforms during high-stakes academic periods.