Instructure CEO apologizes after ShinyHunters attack on Canvas

Instructure CEO Steve Daly apologized in a May 11 blog post after a cyberattack by the ShinyHunters group disrupted Canvas services at hundreds of schools and universities and exposed user data. The company said it first detected the incident on May 1 and has taken steps to contain the breach and restore service.

Canvas, a cloud-based learning management system used by more than 8,000 institutions and about 30 million active users, experienced outages and access problems at institutions in the US, UK, Canada, Australia and New Zealand. Instructure’s chief information security officer, Steve Proud, warned early in the response that data including usernames, names, email addresses, student ID numbers, course names, enrollment information and private messages had been accessed. Daly confirmed those categories of information were involved and said core learning data — course content, login credentials and student submissions — was not accessed.

Instructure and the attackers said the intruders exploited a vulnerability in Canvas’s Free for Teacher support ticket environment. The company temporarily disabled the Free for Teacher environment while it conducts a full security review. Daly described the shutdown as disruptive but necessary to protect the broader Canvas platform.

The ShinyHunters group claims it took about 3.65 terabytes of data and that the haul includes roughly 275 million records from more than 8,800 institutions. The group also carried out a follow-up action that defaced some login portals with a ransom note, which added to recovery work and service interruptions. ShinyHunters has been linked to previous breaches at other organizations.

The attack affected operations during a busy academic period. Mississippi State University postponed exams, and students at the University of Oxford reported they could not access exam papers and had to contact lecturers for documents and results. Instructure said it would continue to provide assistance and guidance to affected schools and universities.

Daly acknowledged problems with early communication and outlined planned changes and more frequent updates as the company works to restore confidence among customers. He wrote, “Rebuilding trust takes time. We’re going to earn it back through consistent action and honest communication. We’re in this for you and your community.” He also apologized for the strain on campus IT teams and for inconsistent updates during the first days of the response.

Instructure said it has implemented containment measures and is conducting a full security review. The company committed to security changes but did not provide specific timelines for those upgrades. The incident involved large volumes of personal and institutional data and remains under investigation by Instructure’s security team.