Instructure confirms hackers used Canvas flaw to deface portals

Instructure says hackers used Canvas flaw for extortion message on login portals

Education technology giant Instructure has confirmed that a security vulnerability allowed hackers to modify Canvas login portals and leave an extortion message.

BleepingComputer has learned that both the breach and defacements involved multiple cross-site scripting (XSS) vulnerabilities that enabled the attacker to obtain authenticated admin sessions.

The second hack was to draw attention and to pressure Instructure into entering negotiations to pay a ransom following an initial breach disclosed a week before.

Instructure is the developer of Canvas, a popular learning management system (LMS) used by schools and universities around the world to handle assignments and coursework.

On April 29, the company discovered that its network had been breached and “immediately revoked the unauthorized party’s access, started an investigation, and engaged outside forensic experts.”

A few days later, the company confirmed that data was stolen in the cyberattack, and ShinyHunters published Instructure on their data leak site, stating that they stole more than 3.6 terabytes of uncompressed data.

In an attempt to coerce Instructure into paying a ransom, the threat actor hacked Instructure again on May 7 using the same vulnerability used in the initial intrusion.

ShinyHunters injected malicious JavaScript exploiting XSS bugs within user-generated content features, which gave them access to authenticated admin sessions and allowed them to perform privileged actions.

In an email to BleepingComputer on Sunday, Instructure confirmed that the exploited security issue affected the Free-for-Teacher environment, the free, limited version of Canvas LMS for individual educators.

“The unauthorized actor made changes to the pages that appeared when some students and teachers were logged in through Canvas” – Instructure

At the time, the organization added that it temporarily took Canvas offline to prevent the malicious activity from spreading, determine the cause, and to “apply additional safeguards.”

ShinyHunters used the flaw to add a message to Canvas login portals, warning that the company, as well as schools using its platform, had until May 12 to reach out and negotiate a ransom.

ShinyHunters message left on University of Texas San Antonio Canvas login page
Hackers’ message on the Canvas login page of the University of Texas San Antonio
​​​​

Instructure has shut down Free-For-Teacher accounts until the issues have been resolved. However, Canvas has been restored and is available for use since May 9th.

While no data was compromised when defacing Canvas login portals, the data that ShinyHunters exfiltrated in the first breach likely includes usernames, email addresses, course names, enrollment information, and messages.

According to ShinyHunters, the Instructure breach impacts 8,809 educational organizations (schools, universities, colleges, online platforms) and the hackers claim to have stolen 275 million records belonging to students, teachers, and other staff members.


article image

99% of What Mythos Found Is Still Unpatched.

AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.

At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.

Claim Your Spot

Read More
Ionut Ilascu

Latest

Airline spends four days without flying as bankruptcy rumors swirl

Please enable JS and disable any ad blocker

3 AI Memory Stocks to Watch in July 2026

AI memory stocks have been the loudest trade of 2026, as the scramble for the chips behind every AI server pushed prices and profits to records. But the three names below share the same strange split. The business has never looked stronger, yet the money flows are quietly turning cautious...

Zoomex X Space recap with David James and the World Cup trading panel

James said real pressure for keepers comes in the silence between shots. At Liverpool, City, Portsmouth and England, preparation shaped James. For traders too, instinct works only when built on the right information. Zoomex hosted the third episode of its World Cup Edition X Space as part of the Zoomex World Cup Impact Pledge, bringing

Kalyan Jewellers shares fall 6% despite 38% revenue growth in Q1

Home Market News Kalyan Jewellers shares fall 7% despite 38% revenue growth in Q1 Kalyan Jewellers' international business also maintained strong momentum, with revenue rising nearly 35% year-on-year. 2 Min Read Shares of Kalyan Jewellers India Ltd. fell as much as 7.5% in early trading on Tuesday, July 7, despite the jewellery retailer reported a

Newsletter

Don't miss

Airline spends four days without flying as bankruptcy rumors swirl

Please enable JS and disable any ad blocker

3 AI Memory Stocks to Watch in July 2026

AI memory stocks have been the loudest trade of 2026, as the scramble for the chips behind every AI server pushed prices and profits to records. But the three names below share the same strange split. The business has never looked stronger, yet the money flows are quietly turning cautious...

Zoomex X Space recap with David James and the World Cup trading panel

James said real pressure for keepers comes in the silence between shots. At Liverpool, City, Portsmouth and England, preparation shaped James. For traders too, instinct works only when built on the right information. Zoomex hosted the third episode of its World Cup Edition X Space as part of the Zoomex World Cup Impact Pledge, bringing

Kalyan Jewellers shares fall 6% despite 38% revenue growth in Q1

Home Market News Kalyan Jewellers shares fall 7% despite 38% revenue growth in Q1 Kalyan Jewellers' international business also maintained strong momentum, with revenue rising nearly 35% year-on-year. 2 Min Read Shares of Kalyan Jewellers India Ltd. fell as much as 7.5% in early trading on Tuesday, July 7, despite the jewellery retailer reported a

‘Worst thing about Cristiano Ronaldo’: Messi fan’s farewell to CR7 goes viral after Portugal vs Spain | World Cup 2026

Verified Messi fan Appie Cule has posted a lengthy farewell to Cristiano Ronaldo. This came after Spain beat Portugal 1-0 at the World Cup. That defeat effectively ended Ronaldo's World Cup career for good. Cule framed the post as Ronaldo's definitive "last dance" moment. The post argued Ronaldo had set impossibly-high standards for himself. It

Business seminar in Munich highlights Hong Kong’s strategic roles amidst global shifts (with photos)

Business seminar in Munich highlights Hong Kong's strategic roles amidst global shifts (with photos) ******************************************************************************************      The Hong Kong Economic and Trade Office, Berlin (HKETO Berlin), promoted Hong Kong's unique advantages and strategic roles at the seminar "Hong Kong's strategic role amidst geopolitical tensions" on June 18 (Munich time) in Munich, Germany.             Senior executives, investors

AI for business services: From job fears to productivity

AI for business services: From job fears to productivity

Business Insurance-AZ Achieves Record Response Times for 2026 Arizona Construction Bids

Business Insurance-AZ achieves milestone response speeds for commercial construction bids across Arizona, accelerating documentation delivery to keep local projects moving forward without delay. Phoenix, AZ, June 06-2026, ZEX PR WIRE — Business Insurance-AZ has achieved record-breaking processing speeds and response times for commercial construction bids throughout Arizona, directly supporting the state’s massive infrastructure and advanced manufacturing boom