Many of you have seen the headlines about the breach at Instructure, the company behind the Canvas learning management system used by 41% of higher education institutions in North America and thousands of K-12 districts. Here's what's known, and what your institution should be doing about it.
On April 30, Instructure detected a service disruption that turned out to be a cybersecurity incident. By May 1, the company confirmed an attacker had exploited a vulnerability in its cloud environment to access APIs and privileged credentials. Instructure has since patched the vulnerability, rotated application keys, and required customers to re-authorize their integrations.
On May 3, ShinyHunters (a financially motivated cybercrime group known for prior attacks on Ticketmaster, AT&T, and Snowflake customers) claimed responsibility on a leak site. Instructure subsequently confirmed that names, email addresses, student ID numbers, and user-to-user messages were exposed. The company has stated it has found no evidence that passwords, dates of birth, government identifiers, or financial information were involved. ShinyHunters' bigger claims (275 million records, 3.65 terabytes of data, a separate breach of Instructure's Salesforce instance) remain unverified and are almost certainly inflated for extortion leverage. They have, however, published a list of 8,809 affected institutions, and major universities including Penn, Duke, and Michigan have publicly confirmed they're on it.
This is a searchable list of those organizations impacted. It's from the threat actors, so it's not 100% reliable: https://jrsherlock.github.io/canvas-breach/
The exposure most institutions aren't planning for is direct extortion of individual schools. Canvas is a multi-tenant SaaS, meaning every institution's data lives in shared infrastructure but is logically segmented by tenant. The actor's already-published per-institution record counts confirm the dataset has been sliced by school. The PowerSchool incident from late 2024 is the direct precedent: after PowerSchool paid a $2.85 million ransom and received what was supposed to be proof of data deletion, the threat actor turned around in May 2025 and started emailing individual school districts directly, demanding additional payments. Districts in North Carolina, the Toronto District School Board, and others received "pay or leak" emails, some signed "ShinyHunters." Expect the same pattern against Canvas institutions over the coming weeks, including bluffs from imitators trying their luck with the public list. Authenticity verification of any data sample is the first response. Do not negotiate, do not pay, do not engage without third-party triage.
Three actions to take now:
- Audit your Canvas tenant for unfamiliar admin accounts, developer keys, LTI tools, and webhook subscriptions. Instructure's central credential rotation does not cover persistence mechanisms within your tenant.
- Establish an internal escalation path for the extortion email before one arrives. Decide in advance who receives it, who they call, and the standing rule that you do not negotiate, pay, or respond without third-party verification.
- Brief help desk and faculty on elevated phishing risk. Stolen names, institutional email addresses, and course context make for very convincing impersonation.
ProCircular is supporting affected education customers with incident response, Canvas tenant audits, and extortion triage. Reach out to your account team or contact us directly.
If you need immediate support:
https://info.procircular.com/en-us/canvas-breach-response-support
#Cybersecurity #HigherEd #K12 #VendorRisk #CanvasLMS