Instructure has confirmed that attackers gained unauthorized access to parts of its environment and exploited a vulnerability tied to the company’s Free for Teacher support ticket system.
The company says Canvas is now fully operational and that core learning data, including coursework and submissions, was not compromised.
The update comes days after a widespread outage affected universities and school districts across the United States and internationally, with threat actors linked to the ShinyHunters extortion group claiming responsibility for breaching Instructure and threatening to leak stolen data. During the disruption, attackers defaced hundreds of Canvas login portals with a ransom-style message demanding negotiations before a May 12 leak deadline.
Instructure is a Utah-based education technology company that operates Canvas, one of the world’s largest cloud-based learning management systems. The platform is used by more than 30 million students, teachers, and administrators across over 8,000 educational institutions globally, including major universities and K-12 school districts.
In a public statement signed by CEO Steve Daly, Instructure acknowledged that customers experienced prolonged disruptions and criticized the company’s communication during the incident response. Daly admitted the firm “went quiet” while attempting to verify technical details and said the company failed to provide the consistent updates schools and educators expected during the outage.
According to the latest disclosure, the breach exposed data fields that include:
- Usernames
- Email addresses
- Course names
- Enrollment information
- User messages
However, Instructure stated that “core learning data,” such as course content, assignment submissions, and credentials, was not accessed by attackers.
The company also confirmed that attackers exploited a vulnerability involving support tickets in the Canvas Free for Teacher environment. As a precaution, Instructure temporarily disabled the Free for Teacher platform while conducting a broader security review. The company did not provide technical details about the vulnerability or explain how attackers gained initial access.
Last week’s outage caused widespread disruption during a critical period of the academic calendar, leaving students and faculty unable to access assignments, lecture recordings, grades, messaging systems, and exam materials. Universities, including Harvard, MIT, Rutgers, Georgetown, Princeton, Columbia, and the University of Washington, acknowledged service interruptions tied to the incident, while several schools delayed exams and assignment deadlines.
Instructure said it has engaged CrowdStrike to assist with forensic analysis and to provide recommendations to improve the company’s security posture. The firm also hired an additional vendor to conduct a large-scale e-discovery review of the affected data to provide customers with more detailed information about which records were involved.
The company warned that the comprehensive data review could take “some weeks” to complete, adding that no action is currently required from customers or users and that Canvas remains safe to use.
Leave a Reply