Ethical Hacking News
Instructure has confirmed that its popular learning management system, Canvas, was breached by hackers who defaced login portals and stole sensitive data. The breach, which occurred in May 2026, saw the unauthorized actor gain access to sensitive information, including usernames, email addresses, and enrollment details. Instructure has taken steps to address the breach and restore its platforms, but the incident highlights the ongoing threat of cyber attacks on education technology companies.
Instructure's popular learning management system, Canvas, was breached by hackers in early May 2026. The breach allowed unauthorized access to sensitive data and defaced login portals with an extortion message. The attackers exploited multiple cross-site scripting (XSS) vulnerabilities to gain privileged admin sessions. Instructure revoked the attackers' access, investigated the breach, and engaged forensic experts to apply additional safeguards. The hackers stole more than 3.6 terabytes of uncompressed data, including usernames, email addresses, course names, and enrollment information. The ShinyHunters group claimed to have stolen 275 million records belonging to educational organizations worldwide. Instructure has taken steps to address the breach, including shutting down Free-for-Teacher accounts and restoring Canvas functionality. The incident highlights the importance of robust security measures and the need for companies to stay vigilant against emerging threats.
Instructure, a leading provider of learning management systems (LMS), has confirmed that its popular platform, Canvas, was breached by hackers. The attack, which occurred in early May 2026, saw the unauthorized actor gain access to sensitive data, including usernames, email addresses, course names, and enrollment information. Moreover, the attackers were able to deface login portals, leaving an extortion message for Instructure.
The breach, according to Instructure, was facilitated by multiple cross-site scripting (XSS) vulnerabilities that allowed the attacker to obtain authenticated admin sessions. The company stated that these vulnerabilities were exploited to gain unauthorized access to the system and perform privileged actions. In addition to stealing sensitive data, the hackers also used the vulnerability to deface login portals, leaving a message warning Instructure of an impending deadline to negotiate a ransom.
Instructure's response to the breach was swift and decisive. Upon discovering the breach on April 29, 2026, the company immediately revoked the unauthorized party's access, started an investigation, and engaged outside forensic experts to determine the cause of the breach and apply additional safeguards. The company also confirmed that data was stolen during the attack and published Instructure on their data leak site, stating that they had stolen more than 3.6 terabytes of uncompressed data.
The hackers, identified as ShinyHunters, used the same vulnerability to deface login portals a few days after the initial breach. This second hack was intended to draw attention and pressure Instructure into entering negotiations to pay a ransom following an initial breach disclosed a week before. The attackers exploited the same XSS vulnerabilities that enabled them to obtain authenticated admin sessions during the initial breach.
The ShinyHunters group, known for its extortion tactics in recent months, claimed that they had stolen 275 million records belonging to students, teachers, and other staff members across 8,809 educational organizations worldwide. The attackers also left an extortion message on the Canvas login page of the University of Texas San Antonio, warning Instructure and schools using its platform that they had until May 12, 2026, to reach out and negotiate a ransom.
Instructure has taken steps to address the breach and defacement of its platforms. The company has shut down Free-for-Teacher accounts until the issues have been resolved and has restored Canvas to full functionality since May 9th. However, Instructure's efforts to mitigate the damage and prevent similar breaches in the future will be crucial in restoring user trust.
The incident highlights the importance of robust security measures and the need for companies like Instructure to stay vigilant against emerging threats. The use of cross-site scripting vulnerabilities by hackers is a common tactic used to exploit systems, making it essential for organizations to keep their platforms up-to-date with the latest security patches and monitoring their systems closely for signs of unauthorized access.
As the education technology sector continues to evolve, companies like Instructure will need to adapt to emerging threats and prioritize security. The breach and defacement of Canvas platforms serve as a reminder of the importance of robust cybersecurity measures and the need for organizations to take proactive steps to protect their users' sensitive data.
Related Information:
https://www.ethicalhackingnews.com/articles/Instructure-Confirms-Canvas-Breach-Hackers-Deface-Portals-and-Steal-Sensitive-Data-ehn.shtml
https://www.bleepingcomputer.com/news/security/instructure-confirms-hackers-used-canvas-flaw-to-deface-portals/
Published: Mon May 11 11:08:59 2026 by llama3.2 3B Q4_K_M
