Instructure Breach Exposes Schools' Vendor Dependence

CYBERATTACKS & DATA BREACHES CYBER RISK IDENTITY & ACCESS MANAGEMENT SECURITY APPLICATION SECURITY NEWS Instructure Breach Exposes Schools' Vendor Dependence ShinyHunters' attack on Instructure, which owns the widely used Canvas learning management system (LMS), carries big questions about the trust educational institutions put into their vendors. Alexander Culafi,Senior News Writer,Dark Reading May 6, 2026 3 Min Read SOURCE: TIMON SCHNEIDER VIA ALAMY STOCK PHOTO The breach of a leading educational technology provider has raised fears and concerns regarding possible downstream implications for schools, their staff, and their students. Instructure, which provides learning management system (LMS) software Canvas for K-12 and higher education clients, disclosed a data breach on May 1 in which a threat actor stole "certain identifying information of users at affected institutions," the company said on its status page. This identifying information includes names, emails, student ID numbers, and messages shared among users. There is no evidence passwords, dates of birth, government identifiers, or financial information were stolen, according to the disclosure. When Instructure initially disclosed the incident, Canvas Data 2 and Canvas Beta were briefly taken offline for maintenance to facilitate the investigation, as was Canvas Test. Canvas Data 2 became available May 3, Beta on May 4; Test remains under maintenance.  Related:Attacks Abuse Windows Phone Link to Steal Texts & Bypass 2FA ShinyHunters, a prolific data extortion threat actor, took responsibility for the hack, claiming it exfiltrated 3.65TB of data representing approximately 275 million users across 9,000 institutions. On its data leak site, ShinyHunters listed a deadline of today alongside a threat to Instructure of "PAY OR LEAK." Steve Proud, chief information security officer at Instructure, said the company engaged outside forensics experts and took multiple incident response steps, including revoking privileged credentials and access tokens associated with affected systems, deployed patches to enhance security, rotated certain keys out of an abundance of caution (even though there was no evidence they were misused), and implemented increased monitoring across all platforms. "Thank you for your patience as we work to resolve this matter," Proud wrote. "We sincerely regret any inconvenience or concern this may cause." Dark Reading contacted Instructure for comment, but the company has not responded at press time. The Canvas Breach: Threats to Academic Institutions While some of the identifying information may not include passwords, government ID, or banking credentials, the messages sent between users (e.g., students, teachers, and other faculty) are potentially the most sensitive data compromised by ShinyHunters actors. One concern would be whether attackers could use information gained from these messages as an additional extortion lever against institutions or families. Specific identifying information like this would also be useful for follow-on phishing activity. Related:Middle East Cyber Battle Field Broadens — Especially in UAE And for the academic institutions that use Canvas, it's not easy to switch from one LMS to another, let alone if the breached product is the most popular one of its kind in North America.  Denis Calderone, chief technology officer (CTO) of security firm Suzu Labs, tells Dark Reading that under the Family Educational Rights and Privacy Act (FERPA) of 1974, schools are still on the hook for protecting student data even when it sits in a platform the school doesn't control.  "There are other LMS vendors, but migrating off Canvas is not trivial, and I'd suspect most of the affected institutions aren't going anywhere," he says. Calderone adds that while institutions running Canvas can't control Instructure's security posture, the school can control what data lives there. Relevant organizations should review their data retention policies now. Similarly, Ensar Şeker, chief information security officer (CISO) at SOCRadar, says that when platforms like Canvas become deeply embedded into daily education workflows, educators and students "inherit" that platform's security posture whether they know it or not.  "The reality is that teachers cannot realistically avoid using these systems, so the focus has to shift from blind trust to resilience and risk reduction. Institutions should assume that any cloud-based communication platform may eventually experience a breach and develop policies accordingly," Şeker says. "That means limiting sensitive discussions in platform messaging systems, minimizing unnecessary data retention, enforcing strong identity controls like multifactor identification (MFA) everywhere possible, and having clear breach response communication plans ready before an incident occurs." Related:Trellix Source Code Breach Highlights Growing Supply Chain Threats Brian Bell, CEO of customer identity and access management vendor FusionAuth, says institutions should also require vendors to prove their own security posture with current certifications, third-party audits, clear breach notification commitments, and documented controls for things like API keys and tokens.  "Vendor trust cannot be a one-time procurement decision," he says. "In edtech, it has to be continuously earned." About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Enterprises Are Developing Secure Applications How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Sysdig 2025 Cloud-Native Security and Usage Report Access More Research Webinars How Well Can You See What's in Your Cloud? Implementing CTEM: Beyond Vulnerability Management Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Critical Fortinet Flaws Under Active Attack by Jai Vijayan, Contributing Writer DEC 17, 2025 CYBERATTACKS & DATA BREACHES CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks by Rob Wright DEC 04, 2025 CYBERATTACKS & DATA BREACHES F5 BIG-IP Environment Breached by Nation-State Actor by Alexander Culafi OCT 15, 2025 CYBERATTACKS & DATA BREACHES Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business by Robert Lemos, Contributing Writer OCT 03, 2025 Editor's Choice CYBER RISK Physical Cargo Theft Gets a Boost From Cybercriminals byRobert Lemos MAY 4, 2026 5 MIN READ CYBER RISK NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later byDark Reading Editorial Team APR 28, 2026 IDENTITY & ACCESS MANAGEMENT SECURITY Oracle Red Bull Racing Team Revs Up Automation to Boost Security byArielle Waldman APR 30, 2026 5 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars How Well Can You See What's in Your Cloud? THURS, JUNE 4, 2026 AT 1:00PM EST Implementing CTEM: Beyond Vulnerability Management THURS, MAY 21, 2026 AT 1PM EST Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST More Webinars BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS