Canvas login portal incident led to widespread disruption

Threat summary

Following the disclosure of unauthorized access to Instructure’s Canvas learning management system in early May 2026, the incident escalated into a widespread service disruption affecting schools and universities globally.

In 2026, Instructure provided Canvas to approximately 30 million active participants at over 8,000 educational institutions in the United States, United Kingdom, Canada, Australia, New Zealand and some European nations.

The platform is the most widely adopted learning management system in North American higher education, with 41% of institutions using the software. It assists with managing coursework, assignments, quizzes, exams, and grades, as well as facilitating communication between instructors and students.

On May 8, Instructure took Canvas offline after detecting malicious activity that altered institutional login portals. The outage occurred during final exam periods for many institutions, disrupting access to grades, course materials, assignments, and messaging, forcing some schools to delay exams or adopt temporary workarounds.

Instructure reported that the threat actors exploited a flaw in the Canvas platform that allowed centralized modification of login portals across hundreds of institutions. The defaced login pages displayed extortion messages referencing an earlier breach and threatening the public release of stolen data if ransom demands were not met by May 12. The company stated that the activity occurred within its cloud-hosted environment and was not the result of compromised school or university networks.

The threat actors pivoted from Free-For-Teacher accounts to paid institutions by exploiting a vulnerability in the Free-For-Teacher environment that enabled authenticated admin-level access within Instructure’s shared Canvas platform. This allowed for centralized login-portal modification without compromising individual schools. Instructure disabled its Free-For-Teacher accounts and worked with external forensic investigators to contain the incident.

By May 9, Canvas services were gradually restored after Instructure stated there was no evidence the threat actor retained ongoing access. The company has not disclosed whether a ransom was paid and continues to investigate the scope of data exposure.

ShinyHunters extortion group publicly claimed responsibility for both the earlier breach and the subsequent portal defacements. The group alleged access to large volumes of private messages and records linked to thousands of schools worldwide and used visible login‑page manipulation to apply pressure directly to students, educators, and institutions.

On May 11, Instructure stated that it reached an agreement with the unauthorized actor involved in the Canvas incident due to ongoing concerns about the potential publication of data. The company said that, as part of the agreement, the data was returned, it received digital confirmation of data destruction, and it was informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise.

Analysis

From a technical standpoint, it appears that defacing login portals was not required for continued access or data theft. By the time the portals were altered, reporting indicates that the actors had already completed the earlier intrusion and data exfiltration phase.

The threat actors appear to have used the defacements primarily as a visibility and pressure tactic, drawing attention to the earlier intrusion and reinforcing their extortion demands by demonstrating platform‑level control.

Organizations using Canvas are facing a vendor-side incident, not a failure of their own systems. Local firewalls, endpoint tools, and network monitoring did not factor into preventing this activity. This incident happened entirely within the provider’s environment, outside institutional control.

The affected functionality was part of Instructure’s backend services and account architecture. Instructure’s customers did not manage Free-For-Teacher accounts, could not patch the vulnerability, and had no visibility into how those accounts interacted with shared platform components.

Including third-party platform breaches in incident response and continuity planning helps reduce downtime and uncertainty in such events.

Organizations may experience follow-on phishing attempts using exposed Canvas data including usernames, email addresses, student identification numbers, and some private messages. That information can be used to craft emails or messages that reference real courses, instructors, or exams. Educational institutions should treat any Canvas-related message that asks for credentials, payment, or urgent action with caution and verify it through known channels.

Reinforce basic user awareness by reminding students and staff to verify unexpected emails, calls, or texts claiming to relate to Canvas or Instructure. Threat actors often rely on urgency and familiarity to prompt mistakes, especially after a high‑profile incident like this.

Field Effect has been using Canvas for a limited number of online courses and was listed among impacted organizations. We'll continue to monitor the situation but can confirm that Field Effect has experienced no material business, operational or security impact as a result of this incident.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up