Liputan6.com, Jakarta - Instructure, the company behind the Canvas learning management system (LMS), confirmed a serious cybersecurity incident and data breach in early May 2026.
The incident caused widespread disruption to the Canvas platform, which is the backbone of education for millions of students, teachers, and staff at thousands of institutions globally.
Advertisement
This incident sparked significant concern among the academic community and Canvas users worldwide.
The initial intrusion was detected on April 29, 2026, and was subsequently contained by Instructure.
On May 1, 2026, Instructure's Chief Information Security Officer, Steve Proud, confirmed the data breach, stating that hackers successfully exploited a vulnerability to gain access to the system.
As a result, several critical services, including Canvas Data 2 and Canvas Beta, were temporarily disabled.
The criminal hacker group ShinyHunters later claimed responsibility for the attack on May 3, 2026, in a post on Ransomware.Live.
Canvas Security Incident Timeline
Initial detection of an intrusion into the Canvas system happened on April 29, 2026, prompting Instructure to immediately take containment measures.
Official confirmation of the data breach came on May 1, 2026, when Instructure acknowledged that hackers had exploited a vulnerability in their cloud-hosted environment.
An initial statement on May 2, 2026, indicated that the compromised data included names, email addresses, student ID numbers, and messages exchanged between Canvas users.
The incident culminated in a claim of responsibility by the hacker group ShinyHunters on May 3, 2026.
The group, known for previous attacks on major entities like Ticketmaster and AT&T, announced their involvement, highlighting the seriousness of the threat to Canvas user data.
Compromised User Data and Hacker Claims
Instructure officially confirmed that the data involved in the Canvas security incident included personal information such as full names, email addresses, student identification numbers, and message histories exchanged between users.
However, Instructure also asserted that there was no evidence of compromise of more sensitive data such as account passwords, birth dates, government identifiers, or financial information.
This statement was intended to alleviate concerns about deeper financial and identity security for Canvas users.
In contrast to Instructure's statement, the ShinyHunters group made a much larger claim.
They claimed to have exfiltrated more than 3.65 TB of data, allegedly affecting nearly 9,000 educational institutions and approximately 275 million students, teachers, and staff.
This claim also included billions of private messages containing personal information.
Impact, Response, and Security Recommendation
The incident caused significant service disruptions, with Canvas, Canvas Beta, and Canvas Test being placed in maintenance mode on May 7, 2026.
Many institutions reported that their Canvas sites displayed ransom messages from the hacker group, disrupting critical academic processes such as final exams.
ShinyHunters has threatened to release sensitive data they claim to have obtained if the ransom demand is not met by May 12, 2026.
They also accused Instructure of ignoring their initial communications and only issuing a "security patch" after the initial attack, further complicating the Canvas incident.
Instructure has taken a firm stance, refusing to negotiate with the threat actor.
The company has secured its platform, patched the vulnerability, engaged a third-party forensics firm for an in-depth investigation, and notified law enforcement authorities of the Canvas data breach.
Thousands of educational institutions worldwide, including universities in the United States, Australia, and Europe, have been affected.
Several universities, such as George Mason University and Rutgers, have confirmed that their data was compromised, increasing the risk of phishing and fraud for their Canvas users.
Given the potential risk of phishing and fraud resulting from compromised data, Canvas users are strongly advised not to interact with ransom messages or other suspicious emails.
Do not click on links, open attachments, download files, or respond to any unknown messages.
Any suspicious messages claiming to be from Canvas, Instructure, or university IT support should be immediately reported to the relevant institution's cybersecurity team.