What can we learn from this Canvas incident in terms of cybersecurity? It will be hard to say for sure what the actual cause of the incident was in terms of technical details. Companies like to hide the embarrassing details. They will often say it was a “nation-state” or powerful “hacker gang” and make it out like the incident was beyond their control. Of course, that is not the case.
Instructure (the company that makes Canvas) has posted an “incident update” page where they explain what is going on, what they are doing, whatever information they are willing to make public.
https://www.instructure.com/incident_update
Let’s look at the status update for 5/11/26 where they write:
> ...Instructure reached an agreement with the unauthorized actor involved in this incident. As part of that agreement:
So they have come to an agreement with the “unauthorized actor” who many would characterize as a criminal? In my opinion that is morally questionable and likely foolish. Can such people be trusted to keep their word? What are the consequences for them if they don’t?
> The data was returned to us.
Digital data is not a physical thing which can just be returned. A copy of the data was returned.
> We received digital confirmation of data destruction (shred logs).
Imagine that someone sends you a screenshot of the stolen data being deleted. Now imagine all the ways that this could be a trick:
They had another copy
They sent a copy to someone else so they could say, “We deleted your data and no longer have it.”
The “digital confirmation” was a photoshop
The files showing being deleted (shred logs) did not actually contain what they were claimed to contain
I’ve barely given this any thought and I’m not feeling particularly creative and I can come up with at least 4. There is absolutely no way to guarantee that the attackers do not still have a copy of the data.
Note that #4 mentions shred logs. Presumably, they are referring to the shred tool. The shred tool produces text based output. Anyone could type that up.
> We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise.
We are taking the word of people who would do such a thing? If you do get extorted a year from now, how will you know that the extortion came as a result of this particular breach and not some other breach somewhere that you do not yet know about? What if the attackers break their promise? How can they be held accountable?
> This agreement covers all impacted Instructure customers, and there is no need for individual customers to attempt to engage with the unauthorized actor.
So Instructure has negotiated the privacy of our data with the attackers on our behalf. I am very skeptical. Definitely don’t attempt to engage with the attacker though.
Note that instructure had a security incident back in September of 2025, just 8 months ago. That was attributed to ShinyHunters also. Attackers reportedly used social engineering to compromise Instructure’s Salesforce systems.
And in this incident, Instructure says on their incident page:
> On April 29, 2026, we detected unauthorized activity in Canvas. We immediately revoked the unauthorized party’s access, started an investigation, and engaged outside forensic experts.
So they knew about this a full week before we knew about it.
> On May 7, 2026, we identified additional unauthorized activity tied to the same incident. The unauthorized actor made changes to the pages that appeared when some students and teachers were logged in through Canvas. Out of caution, we temporarily took Canvas offline into maintenance mode to contain the activity, investigate, and apply additional safeguards.
They knew about this a week before we did and their incident response failed to contain the incident.
> We have since confirmed that the unauthorized actor carried out this activity by exploiting an issue related to our Free-For-Teacher accounts. This is the same issue that led to the unauthorized access the prior week. As a result, we have made the difficult decision to temporarily shut down Free-For-Teacher accounts. These accounts have been a core part of our platform, and we're committed to resolving the issues with these accounts.
“Free-For-Teacher” accounts…that’s a sales/marketing tool. I wonder if this is in any way related to Salesforce and the breach they had 8 months ago? No idea. Note how ShinyHunters use the dark web to host their webpage showing the sites they have hacked. They often also post snippets of stolen data there as proof that they have the data. It is entirely possible that all of the stolen data is currently being traded on the dark web as we speak.
Here is an interesting third party timeline:
https://www.halcyon.ai/ransomware-alerts/education-sector-in-the-crosshairs-shinyhunters-extortion-campaign-against-instructure
Apparently, on 2 May Instructure customers knew about this. But we did not know about this until days later. And if we had happened looked at the ShinyHunters website on the dark web on May 3 we would have seen Instructure listed there, we could have known. Of course, I’m not in the habit of browsing such places on the dark web.
Note the entry for 12 May 2026:
> New deadline for individual school negotiations
> ShinyHunters sets a final deadline for the approximately 8,809 affected institutions to independently contact the group and negotiate data suppression before the full dataset is released publicly.
This would suggest that they are extracting ransom not only from Instructure but from each of the individual schools! Wow! So this may not yet be over, if this is to be believed.
The “Free-For-Teacher” account program alloed educators to create Canvas tenants without institutional verification. Anyone could create one, apparently. This likely involved asking for a lot of data to setup the instance which could create a large attack surface.
Imagine what sort of web application exploits could possibly have allowed privilege escalation and data exfiltration.
Multi-tenant applications such as this are generally using logical separation to keep your data separate from other data. Imagine this logical separation like boxes within boxes within boxes: In Canvas there are schools, then classes, then individual students. All of whom must have their data separated.
It is not practical to put each student onto their own physical machine. So it all goes in one machine or a cluster of machines and logical separation is used. This is very practical and efficient but the effort required to ensure that nobody can break out of their box is massive. And by allowing anyone to create an institution-level Canvas instance puts them at the top level of this logical separation.
You know what I actually find impressive about Instructure’s response? That they actually got their service back up without data loss. When I discovered what had happened I thought that we might be in for a prolonged outage and possible data loss. I am very happy to see that everything appears to be intact.
Being that this is ransomware, we may reasonably assume that all of our data was encrypted. By whatever means Instructure was able to restore the data reasonably quickly. For a service this big, restoring in a few days is impressive. They could have paid the ransom or they could have restore from backup. Either way, this is a very good lesson in the importance of backups.
What if Instructure did not want to or simply could not pay?
What if there was a technical issue or the attackers accidentally lost the decryption key?
All of these things have actually happened in the past. Computer security is all about the CIA triad:
- Confidentiality
- Integrity
- Availability
In this case, all three of those factors were affected with regards to our data. It was leaked (no longer confidential), it was encrypted and accessed by hackers (so its integrity is in question), and by virtue of being encrypted and the service shutdown for a few days it was no longer available to us.
A lot of people forget about availability in cybersecurity. That’s backups, redundancy, failover, RAID 5, 3-2-1 backup rule, disaster recovery, business continuity processes, etc. It is not as exciting as pentest but ensuring that we will always be able to access the data is a critical part of maintaining security.