Instructure Says Canvas Breach Came From Free-For-Teacher Account Issue

Instructure says the recent Canvas security incident involved unauthorized access to part of its environment and exposed user data tied to the learning platform. The company said the affected fields included usernames, email addresses, course names, enrollment information and messages.

The company also said core learning data was not compromised. That includes course content, submissions and credentials, according to Instructure’s latest incident update.

The breach has drawn major attention because Canvas is used by schools, universities and education organizations worldwide. It also caused disruption during a sensitive period for many students, with final exams, assignments and end-of-term work depending on access to the platform.

What Instructure confirmed

Instructure said it identified a vulnerability related to support tickets in its Free for Teacher environment. The company said attackers exploited that issue, and it temporarily disabled Free for Teacher while it continues a security review.

The company also confirmed that Canvas is fully operational and safe to use. It said customers do not need to take action at this stage, although it continues to investigate and validate the full findings.

Instructure later said it reached an agreement with the unauthorized actor involved in the incident. Under that agreement, the company said the data was returned, it received digital confirmation of data destruction, and customers should not engage with the attackers individually.

Key facts at a glance

Item	Details
Company affected	Instructure
Product affected	Canvas LMS
Issue linked to	Free for Teacher environment
Data involved	Usernames, email addresses, course names, enrollment information and messages
Data not found compromised	Course content, submissions and credentials
Threat group claim	ShinyHunters claimed responsibility
Current Canvas status	Fully operational, according to Instructure

How the Free for Teacher issue fits in

Free for Teacher lets educators use Canvas without a paid institutional account. That made it useful for testing and classroom use, but the incident now puts attention on how trial and free account systems connect to production education platforms.

Reuters reported that Instructure said the attackers exploited an issue related to its Free-for-Teacher service. The company temporarily shut down that service while restoring access to the main Canvas platform.

Bitdefender’s advisory described the incident as a direct compromise of the Canvas platform through the Free-For-Teacher account program. It also said the exposure window ran from April 30 to May 7, 2026.

ShinyHunters claimed a much larger data theft

ShinyHunters claimed it stole data tied to nearly 9,000 schools. Reuters reported that the group claimed access to roughly 6.65 TB of Canvas data, including student names, email addresses and private messages.

Instructure has not confirmed the full figures claimed by ShinyHunters. The company’s public statements focus on the data fields involved and on the agreement it says returned and destroyed the data.

The Associated Press reported that the attack created chaos for students at thousands of schools because Canvas holds grades, course notes, assignments, lecture videos and other class materials.

Why this matters for schools

The biggest short-term risk is phishing. Names, course details, enrollment information and messages can help attackers write emails that look personal and believable.

A student could receive an email that references a real class, a real instructor, or a real Canvas message. That kind of detail can make a fake login page or malware attachment more convincing.

Schools should treat the exposed data as useful material for follow-up scams, even if passwords and credentials were not part of the confirmed compromise.

What schools should check now

• Warn students, faculty and staff about phishing emails that mention Canvas, grades, assignments or course messages.
• Review Canvas-related login pages for unauthorized changes or suspicious messages.
• Rotate API credentials and review third-party integrations connected to Canvas.
• Check access logs for unusual activity tied to external or unfamiliar accounts.
• Review help desk and support ticket workflows connected to Canvas access.
• Tell users to avoid clicking Canvas links from unexpected emails or text messages.
• Direct users to access Canvas only through official school portals.

Instructure faces pressure over response and communication

Instructure CEO Steve Daly apologized for the disruption and said the company did not communicate consistently enough during the incident. He said the company has launched a dedicated incident update page and plans to share more findings as its investigation progresses.

Reuters also reported that the House Homeland Security Committee requested a briefing from Instructure about the breach, the data involved, response steps and coordination with federal cybersecurity agencies.

The incident now raises a broader question for education technology vendors. Schools depend on cloud platforms for daily teaching, grading and communication, so even limited disruptions can quickly affect exams, assignments and student services.

FAQ

Summary

1. Instructure confirmed unauthorized access involving Canvas-related user data.
2. The company linked the incident to a Free for Teacher support ticket vulnerability.
3. Exposed data included usernames, emails, course names, enrollment information and messages.
4. Instructure said course content, submissions and credentials were not compromised.
5. Schools should prepare for phishing attempts using real Canvas-related details.