Canvas intrusion, data theft, and portal defacement

Attackers compromised **Instructure's Canvas** and stole confidential course and user data, affecting about **160 UK higher education institutions** and roughly **9,000 educational institutions worldwide**. Instructure detected unauthorized activity on **April 29, 2026**, and later tied further access on **May 7** to abuse of **Canvas** weaknesses in user-generated content handling that allowed malicious JavaScript injection, authenticated admin session access, and privileged actions. The May 7 access also altered login-page content seen by some students and teachers, with defacement appearing on approximately **330 institutional Canvas login pages**. Available evidence connects the intrusion, the application weakness, and the data-theft fallout into one sequence: an initial breach was followed by repeat access through a **Canvas** weakness, portal defacement, and extortion messaging. Instructure confirmed exposure of names, email addresses, student ID numbers, and messages among users, while saying it found no evidence that passwords, dates of birth, government identifiers, or financial information were involved. A group calling itself **ShinyHunters** claimed responsibility and claimed theft of about **275 million** to **280 million** records and more than **3TB** of data, but those scale figures and the exact actor role are not independently established in the available material. Response measures included taking **Canvas** offline temporarily, shutting down **Free-for-Teacher** accounts until issues were resolved, deploying patches, rotating application keys, increasing monitoring, and requiring customer re-authorization for new API keys. **Canvas** was reported fully online by **May 9, 2026**, and investigators said there was no evidence of lateral movement into other institutional systems. The remaining risk is secondary abuse of the stolen data for phishing, smishing, and vishing against students, educators, and staff, while the precise root cause chain and the full volume of exfiltrated data remain unclear.