May 6, 2026

ALERT: Cybersecurity Incident involving Instructure Canvas

This update is intended to give you an overview of the current landscape and help you define a path toward remediation regarding the developing cybersecurity incident involving Instructure, the parent company of the Canvas Learning Management System. The latest intelligence confirms a threat actor group known as ShinyHunters has claimed responsibility for breaching Instructure’s Canvas and Salesforce environments. The group alleges that approximately 275 million users across 9,000 institutions may be impacted, with an estimated 3.65 terabytes of data potentially exfiltrated. A “pay or leak” ultimatum has reportedly been issued to Instructure.

What data was leaked?

These claims are still being validated. However, personal information for students, faculty, and staff, in addition to private communications, may be included in the compromised data. Instructure has begun notifying customers and is actively investigating the incident while providing ongoing guidance.

What should you do now?

Start by contacting your cyber insurance provider or breach response team before [SC1] initiating external communications, forensic investigations, or formal notifications. This ensures compliance with policy requirements and preserves eligibility for coverage.

Unauthorized access to Canvas-related data introduces risks such as credential compromise, phishing campaigns, and misuse of institutional information. Given Canvas’s role as a core academic platform, we strongly recommend that institutions take the following immediate, proactive measures:

  • Reset Canvas-related passwords, especially for administrative, integration, and privileged accounts
  • Require multi-factor authentication re-authentication across Canvas, SSO, and identity platforms
  • Review administrative accounts and remove inactive or unnecessary access
  • Monitor authentication logs for suspicious activity, including unusual login locations or failed attempts
  • Validate all integrations, including SIS feeds, APIs, LTIs, and third-party applications
  • Review encryption standards to ensure secure protocols are enforced

Institutions should perform a structured review of all Canvas integrations and API access. This includes identifying all connected systems, validating ownership, reviewing API tokens and developer keys, removing unused access, rotating credentials, enforcing least privilege, and ensuring integrations use secure service accounts.

How can Ferrilli help?

Ferrilli is actively supporting clients with incident response coordination, Canvas security reviews, identity and access validation, API and integration assessments, and communication planning. If you would like assistance assessing your environment or executing these recommendations, please email us at gethelp@ferrilli.com or call (888) 864-3282.