By Carter Terry, Principal  ·  Pop Box IT  ·  popboxit.com  ·  678-737-1737

If you or any member of your family uses Canvas for school, or you’re a teacher who relies on it daily, you’ve probably seen the headlines this week. A criminal hacking group broke into Canvas — the learning management platform used by roughly 30 million students and educators globally — and stole a significant amount of user data. Schools from Harvard to your kid’s local K-12 district were affected. This post looks at what actually happened, what’s genuinely at risk, what isn’t, and what you can do about it right now.

~275M records claimed affected

8,809 schools worldwide

3.65 TB data claimed stolen

8 days exposure window

Note on numbers: The 275 million figure comes from the hackers themselves. Instructure (Canvas’s parent company) has not confirmed it. The confirmed data types are names, usernames, email addresses, course names, enrollment information, and some private messages. Passwords, financial data, and government IDs are not confirmed as stolen.

What actually happened — and how

Canvas is made by a company called Instructure. The breach was carried out by a group called ShinyHunters — the same group behind the 2024 Ticketmaster breach. This was their second attack on Instructure in eight months. The first, in September 2025, hit Instructure’s Salesforce business systems but never touched Canvas itself. This one went straight for the platform.

The technical entry point: Free-For-Teacher accounts

Canvas offers a program called “Free-For-Teacher” (FFT) — a free tier that let any educator create a Canvas account without being verified by their institution. Think of it as a trial account anyone could get with a generic email address.

Plain language: Imagine an apartment building where most tenants have verified leases and key fobs, but one side entrance accepts a handwritten note as ID. The Free-For-Teacher program was that side entrance. The building’s internal layout — hallways, utilities, pipes — was the same behind both doors.

Instructure has stated that the unauthorized actor carried out activity through Free-For-Teacher accounts and exploited a vulnerability related to support tickets in the Free-For-Teacher environment. The incident involved unauthorized access to Canvas data, including usernames, email addresses, course names, enrollment information, and messages.

The incident did not stop with data access. On May 7, 2026, Instructure stated that the same threat actor gained additional access through a second Canvas vulnerability and made changes to pages shown to some logged-in Canvas users. Instructure said no additional data was accessed or exfiltrated during this second attack, but the activity was serious enough that Canvas was temporarily taken offline in maintenance mode while Instructure contained the activity and applied additional safeguards.

Public reporting described the second activity as HTML injection that altered Canvas login screens to display a ransom message. The message reportedly stated, “ShinyHunters has breached Instructure (again),” and threatened publication of stolen data if a settlement was not negotiated.

---

The Timeline

April 29, 2026

Instructure detects unauthorized access. They say they revoked it and closed the incident.

May 1–2, 2026

Instructure posts a vague notice. No specifics on what was taken.

May 3, 2026

ShinyHunters goes public, claiming 275M records and posting a ransom demand on threat intelligence forums. Deadline: May 7.

May 7, 2026

Instructure attempts to patch rather than pay. ShinyHunters responds by defacing 330+ Canvas login pages with a ransom message visible to every student trying to study for finals. Canvas goes offline.

May 8, 2026

Canvas comes back online. Free-For-Teacher program permanently shut down. Instructure engages CrowdStrike and notifies the FBI and CISA.

May 11–12, 2026

Instructure apologizes for lack of transparency and implies — without confirming — that they reached a payment agreement with ShinyHunters. Stolen data not publicly released as of publication.

---

Who was affected — and who wasn’t

Affected

Any student, teacher, or staff member whose institution used Canvas before May 3, 2026, should assume their name, institutional email address, and enrollment information were exposed. If you or anyone you know sent private messages through Canvas’s inbox during that window — or at any point previously stored in Canvas — those messages may have been accessed too.

Institutions confirmed in media reporting include Harvard, Columbia, Princeton, Georgetown, Stanford, Rutgers, and thousands of K-12 districts. If you are local to Atlanta like us, the impact was closer to home than the national headlines may suggest. Georgia Tech, Georgia State University, Cobb County Schools, Fulton County Schools, and other Georgia-area institutions and school systems were affected.

Not affected (per Instructure’s confirmed reporting)

Passwords were not confirmed stolen. Financial information, birth dates, government-issued IDs, and Social Security numbers were not confirmed as part of the breach. Schools that had migrated to self-hosted Canvas instances or had blocked FFT account access through their own network policies had a reduced exposure profile. Private platforms like Google Classroom or Microsoft Teams Education were not involved.

Important caveat: “Not confirmed stolen” is not the same as “definitely safe.” Instructure has been criticized for being slow and opaque in its communications. Until a full forensic report is published, we consider this an ongoing situation.

---

The real risks going forward

The data taken in this breach isn’t useful for identity theft by itself — you can’t open a credit card with just a name, school email, and student ID. But it’s extremely useful for something arguably more dangerous: targeted social engineering.

Spear-phishing — the primary threat

With real names, institutional emails, course names, and private message content, attackers can craft emails that look uncannily legitimate. Picture your child getting an email from what appears to be their professor: “Hi [student’s real name], I noticed you messaged me about your [real course name] assignment. I need you to log in to confirm your grade before the semester closes — click here.” That link goes to a fake Canvas login page that steals their university password.

This is the window that matters most. Phishing campaigns built from breach data typically spike in the 30–90 days after the initial incident. We are in that window right now.

Credential stuffing

If anyone uses the same password across Canvas and other services — email, banking, social media — and that password was reused from a previous breach, attackers can try those combinations at scale against other platforms. This is called credential stuffing, and it’s automated and fast.

Private message exposure

Canvas messages often contain sensitive personal disclosures — accommodation requests for disabilities or mental health conditions, grade appeals, academic integrity situations, students reaching out to advisors about financial hardship or personal crises. This information in the wrong hands can be used for targeted manipulation, particularly for higher-profile individuals.

---

What you can do about it — three levels

User level (students, parents, teachers)

PASSWORDS Change your Canvas password now Then change it anywhere else you’ve reused it. Use a password manager to generate unique passwords per site.

MFA Enable multi-factor authentication On Canvas, your school email, and every other account you can. Even if your password is stolen, MFA stops most attacks.

PHISHING Be suspicious of all Canvas-related emails For the next 90 days especially. Verify any link by going directly to your school’s Canvas URL — never click through an email.

PARENTS Talk to your kids about this Explain that they may get realistic-looking emails from “teachers” and should verify with you or the school before clicking anything.

Network level (schools, IT teams, MSPs)

EMAIL FILTERING Tighten email security rules Ensure DMARC, DKIM, and SPF records are configured correctly on institutional email domains to block spoofed sender addresses.

MONITORING Elevate threat monitoring for 90 days Watch for unusual login patterns, especially from unfamiliar geolocations or at atypical hours on institutional accounts.

API CREDENTIALS Rotate Canvas API keys and tokens Any integrations your school has with Canvas — scheduling, SIS, LTI tools — should have their credentials rotated as a precaution.

DNS & WEB FILTERING Block known phishing domains Use DNS-layer filtering to block newly registered domains mimicking Canvas or your institution’s login page.

Product/platform level (what Instructure should do, and what to demand)

The Free-For-Teacher program required no institutional verification, creating an uncontrolled entry point into a production environment holding highly sensitive data. Instructure should treat Free-For-Teacher accounts as a production-level access path and apply security controls consistent with the level of risk those accounts introduce. Shared cloud infrastructure is common in SaaS platforms, but account type should not create a weaker security boundary. Customers should expect clear tenant isolation, abuse monitoring, account validation, and access controls across all Canvas account models that interact with production services or sensitive educational data.

ARCHITECTURE Separate free-tier infrastructure Free accounts should run on completely isolated infrastructure with no pathway to institutional tenant data.

VERIFICATION Institutional verification Any new account claiming affiliation with a school should require verification before gaining access to that school’s data environment.

AUDIT Third-party penetration testing This is the second ShinyHunters attack on Instructure in eight months. That pattern demands a full independent security audit.

---

The bigger picture

This breach isn’t just an Instructure problem. It’s a case study in what happens when a vendor prioritizes growth and low-friction onboarding over security architecture. The Free-For-Teacher program was probably great for adoption numbers – It was terrible for security. Often rapid growth and security are inherently opposed. When a product is accelerated without proper testing, validation, and governance, even a valuable service becomes a waiting liability.

For schools, the lesson is to stop treating software security as someone else’s problem. Every tool your students log into is part of your security perimeter. You have every right — and arguably an obligation — to ask your vendors hard questions: Where is our data physically stored? How are unverified accounts managed and protected? When was your last third-party penetration test, and can we see the results?

---

Where you can find updates

For the latest official information, Instructure is maintaining a Security Incident Update & FAQs page for the Canvas incident. This page includes Instructure’s current statements about the timeline, affected data categories, remediation steps, and frequently asked questions.

You can view their Security Incident page at www.instructure.com/incident_update

Need help? If you’re a school, business, or organization in the Atlanta area and want help reviewing your current security posture, understanding what your vendors actually have access to, or setting up proper email filtering and endpoint monitoring — that’s exactly what we do. Reach us at info@popboxit.com or 678-737-1737.

Pop Box IT  ·  Managed IT & Security Services  ·  Atlanta, Georgia

popboxit.com  ·  info@popboxit.com  ·  678-736-1737