{"id":905155,"date":"2026-05-12T03:12:28","date_gmt":"2026-05-12T08:12:28","guid":{"rendered":"https:\/\/newsycanuse.com\/index.php\/2026\/05\/12\/instructure-confirms-hackers-used-canvas-flaw-to-deface-portals\/"},"modified":"2026-05-12T03:12:28","modified_gmt":"2026-05-12T08:12:28","slug":"instructure-confirms-hackers-used-canvas-flaw-to-deface-portals","status":"publish","type":"post","link":"https:\/\/newsycanuse.com\/index.php\/2026\/05\/12\/instructure-confirms-hackers-used-canvas-flaw-to-deface-portals\/","title":{"rendered":"Instructure confirms hackers used Canvas flaw to deface portals"},"content":{"rendered":"<div>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"Instructure says hackers used Canvas flaw for extortion message on login portals\" height=\"900\" src=\"https:\/\/www.bleepstatic.com\/content\/hl-images\/2026\/05\/01\/instructure-header2.jpg\" width=\"1600\"><\/p>\n<p>Education technology giant Instructure has confirmed that a security vulnerability allowed hackers to modify Canvas login portals and leave an extortion message.<\/p>\n<p>BleepingComputer has learned that both the breach and defacements involved multiple cross-site scripting (XSS) vulnerabilities that enabled the attacker to obtain authenticated admin sessions.<\/p>\n<p>The second hack was to draw attention and to\u00a0pressure Instructure into entering negotiations to pay a ransom following an initial breach <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/edu-tech-firm-instructure-discloses-cyber-incident-probes-impact\/\" rel=\"nofollow noopener\">disclosed a week before<\/a>.<\/p>\n<p>Instructure is the developer of Canvas, a popular learning management system (LMS) used by schools and universities around the world to handle assignments and coursework.<\/p>\n<p>On April 29, the company discovered that its network had been breached and \u201cimmediately revoked the unauthorized party\u2019s access, started an investigation, and engaged outside forensic experts.\u201d<\/p>\n<p>A few days later, the company confirmed that data was stolen in the cyberattack, and ShinyHunters published Instructure on their data leak site, stating that they stole more than 3.6 terabytes of uncompressed data.<\/p>\n<p>In an attempt to coerce Instructure into paying a ransom, the threat actor hacked Instructure again on May 7 using the same vulnerability used in the initial intrusion.<\/p>\n<p>ShinyHunters injected malicious JavaScript exploiting\u00a0XSS bugs within user-generated content features, which gave them access\u00a0to\u00a0authenticated admin sessions and allowed them to perform privileged actions.<\/p>\n<p>In an email to BleepingComputer on Sunday, Instructure confirmed that the exploited security issue affected the Free-for-Teacher environment, the free, limited\u00a0version of Canvas LMS for individual educators.<\/p>\n<p>\u201cThe unauthorized actor made changes to the pages that appeared when some students and teachers were logged in through Canvas\u201d &#8211; <a href=\"https:\/\/www.instructure.com\/incident_update\" rel=\"nofollow noopener\">Instructure<\/a><\/p>\n<p>At the time, the organization added that it temporarily took Canvas offline to prevent the malicious activity from spreading, determine the cause, and to \u201capply additional safeguards.\u201d<\/p>\n<p>ShinyHunters used the flaw to add a message to Canvas login portals, warning that the company, as well as schools using its platform, had until May 12 to reach out and negotiate a ransom.<\/p>\n<div>\n<figure><img loading=\"lazy\" decoding=\"async\" alt=\"ShinyHunters message left on University of Texas San Antonio Canvas login page\" height=\"482\" src=\"https:\/\/www.bleepstatic.com\/images\/news\/security\/c\/canvas\/shinyhunters-defacement\/canvas-defacement.jpg\" width=\"900\"><figcaption><strong>Hackers&#8217; message on the Canvas login page of the University of Texas San Antonio<\/strong><br \/>\n\u200b\u200b\u200b\u200b<\/figcaption><\/figure>\n<\/div>\n<p>Instructure has shut down Free-For-Teacher accounts until the issues have been resolved. However, Canvas has been restored and is available for use since May 9th.<\/p>\n<p>While no data was compromised when <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/canvas-login-portals-hacked-in-mass-shinyhunters-extortion-campaign\/\" rel=\"nofollow noopener\">defacing Canvas login portals<\/a>, the data that ShinyHunters exfiltrated in the first breach likely includes usernames, email addresses, course names, enrollment information, and messages.<\/p>\n<p>According to ShinyHunters, the <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/instructure-hacker-claims-data-theft-from-8-800-schools-universities\/\" rel=\"nofollow noopener\">Instructure breach impacts 8,809 educational organizations<\/a> (schools, universities, colleges, online platforms) and the hackers claim to have stolen 275 million records belonging to students, teachers, and other staff members.<\/p>\n<div>\n<p><a href=\"https:\/\/hubs.li\/Q04crVgD0\" target=\"_blank\" rel=\"noopener nofollow\"><br \/>\n            <img decoding=\"async\" src=\"https:\/\/www.bleepstatic.com\/c\/p\/autonomous-validation2.jpg\" alt=\"article image\"><br \/>\n        <\/a>\n    <\/p>\n<div>\n<h2>\n            <a href=\"https:\/\/hubs.li\/Q04crVgD0\" target=\"_blank\" rel=\"noopener nofollow\">99% of What Mythos Found Is Still Unpatched.<\/a><br \/>\n        <\/h2>\n<p>AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.<\/p>\n<p>At the Autonomous Validation Summit (May 12 &#038; 14), see how autonomous, context-rich validation finds what&#8217;s exploitable, proves controls hold, and closes the remediation loop.<\/p>\n<p><a href=\"https:\/\/hubs.li\/Q04crVgD0\" target=\"_blank\" rel=\"noopener nofollow\">Claim Your Spot<\/a>\n    <\/p>\n<\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/instructure-confirms-hackers-used-canvas-flaw-to-deface-portals\/\" class=\"button purchase\" rel=\"nofollow noopener\" target=\"_blank\">Read More<\/a><br \/>\n Ionut Ilascu<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Education technology giant Instructure has confirmed that a security vulnerability allowed hackers to modify Canvas login portals and leave an extortion message. BleepingComputer has learned that both the breach and defacements involved multiple cross-site scripting (XSS) vulnerabilities that enabled the attacker to obtain authenticated admin sessions. The second hack was to draw attention and to\u00a0pressure<\/p>\n","protected":false},"author":1,"featured_media":905156,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2548,149443,46],"tags":[],"class_list":{"0":"post-905155","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-confirms","8":"category-instructure","9":"category-technology"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/905155","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/comments?post=905155"}],"version-history":[{"count":0,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/905155\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media\/905156"}],"wp:attachment":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media?parent=905155"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/categories?post=905155"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/tags?post=905155"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}