Canvas Got Hacked. Then It Got Hacked Again.

For 275 million students, teachers, and staff using Canvas, finals week got a lot more memorable than usual.

In late April, the extortion crew known as ShinyHunters slipped into Instructure (the company behind Canvas) and started quietly pulling data. By the time Instructure caught the intrusion four days later, the attackers had walked away with roughly 6.65 terabytes of records from 9,000 schools and universities. They got names, institutional emails, student ID numbers, and private messages between Canvas users. Affected institutions include Harvard, Cornell, Duke, Georgetown, ECU, and Pitt. Basically a roll call of American higher education.

Instructure announced the breach. They said they'd contained it. They moved on.

ShinyHunters did not move on.

On May 7, during finals week at many of those schools, the attackers came back. This time they didn't bother being quiet. The Canvas login page itself got replaced with a ransom note. Every student logging in to check a grade or submit a paper saw it. Pay up by May 12, or the data leaks.

The audacity is the story.

How they got in (and back in)

The entry point wasn't an exotic exploit or a zero-day. It was the FREE-FOR-TEACHER tier, Canvas's no-cost sign-up product that lets any teacher start a class without paying. The attackers found a way to abuse that flow to get further than they should have. Same technique for both intrusions.

That's worth pausing on. Free-tier products are usually treated as the "safe" surface of a platform: low value, low trust, less attention. They're also the surface where the company is most likely to skip security investment, because the free tier isn't directly generating revenue. ShinyHunters apparently noticed.

Instructure says no passwords, financial data, birthdates, or official ID numbers were exposed. Just identities and private messages. Which sounds reassuring until you remember that for a phishing campaign or a doxing operation, "just identities and private messages" is the gold.

Why this one matters more than a typical breach

A few reasons.

The data is on students, and some of them are minors. Schools have specific obligations under FERPA in the US that don't apply to a typical enterprise breach. A different regulatory and ethical category of incident.

It happened during finals. Imagine logging in to submit a thesis and getting a ransom note instead. CNN reported students stranded mid-exam.

ShinyHunters is a known repeat actor. They're the same crew behind major breaches of Ticketmaster, AT&T (via Snowflake), and — this same week — Cushman & Wakefield's half-million Salesforce records. They're not random opportunists. They're a persistent, escalating extortion operation.

And the part that should worry every SaaS company watching this: the first patch didn't work. Instructure said they'd contained the incident. They hadn't. Whatever Free-For-Teacher hardening they rolled out didn't close the door all the way. The attackers walked back in days later.

What this means if you're not running a school IT department

If you're a student or teacher caught in this: change your Canvas password regardless. Watch your inbox for phishing emails claiming to be from your school or Canvas — that's the highest-value follow-on attack with this kind of data. If a Canvas-themed email asks you to verify or reset something, ignore it and log in through the URL you already know.

For everyone else, the broader lesson is that free tiers of SaaS products are now a primary attack vector. If your company offers a free tier, a free trial, or a "for individual use" account flow, that's a place attackers will look for asymmetric leverage. Same access surface, less attention paid to it. Pen-test it like a real product.

The ransom deadline was May 12. Whether Instructure paid, negotiated, or rode it out, the stolen data is in ShinyHunters' hands. Phishing campaigns aimed at affected students are almost certainly already in motion.

Keep your guard up at the inbox.

Key Terms

• LMS (Learning Management System) — software schools use to deliver coursework, host assignments, grade students, and message between teachers and students. Canvas, Blackboard, Moodle, and Google Classroom are the big ones.
• ShinyHunters — a data-extortion crew behind major breaches in recent years, including Ticketmaster, AT&T (via Snowflake), and now Instructure. They steal data, demand payment, and leak the data if the ransom isn't paid.
• Free-For-Teacher (FFT) — Canvas's free tier. Any teacher can sign up at no cost to host a class. The attackers abused a flaw in this sign-up flow.
• Extortion vs. ransomware — true ransomware encrypts your data and demands payment for the decryption key. Pure data extortion (like this attack) steals the data and threatens to leak it unless paid. ShinyHunters typically does the second one.
• FERPA — the US law (Family Educational Rights and Privacy Act) that protects student educational records. A breach of student data triggers specific notification and remediation obligations under FERPA.
• Free-tier security gap — when companies invest less security attention in free or trial accounts than in paid accounts, because the free tier doesn't directly generate revenue. Attackers love this.

Sources

• TechCrunch — Hackers steal students' data during breach at education tech giant Instructure
• CNN — Canvas hack: What we know about apparent cyberattack that impacted thousands of schools
• Dark Reading — ShinyHunters Claims Second Attack Against Instructure
• Higher Ed Dive — A 2nd Canvas data breach causes major disruptions for schools, colleges
• CyberPress — ShinyHunters Breaches Instructure Canvas LMS via Free Teacher Accounts