What Happened
On May 8, 2026, Instructure posted an update stating the Canvas learning management system was back online and the security incident was over. Within hours, the ShinyHunters threat group contradicted that claim, announcing a second successful breach of the platform through the same Free-For-Teacher account vulnerability that enabled the first intrusion.
The group says it holds 3.65 terabytes of data — approximately 275 million records — covering 8,809 educational institutions worldwide, including universities, colleges, K-12 schools, and government education ministries. Exposed data includes names, email addresses, student ID numbers, and private messages between students and instructors. ShinyHunters has set May 12, 2026, as the deadline for ransom payment before they publish the full dataset.
The initial intrusion was first detected by Instructure on April 29. The Free-For-Teacher account type, used to give individual educators access outside institutional contracts, appears to have provided a persistent attack surface that the company failed to fully close before declaring the incident resolved. Dark Reading and Higher Ed Dive confirmed the second breach claim.
Why This Matters for Canadian Organizations
Canvas holds a dominant position in Canadian post-secondary education. Universities such as the University of British Columbia, York University, and dozens of colleges across Ontario, Quebec, and the western provinces rely on it as their primary learning management system. K-12 boards in several provinces use Canvas for student course management and communications.
The exposed data — names, email addresses, student ID numbers, and private messages — is directly actionable for identity fraud, targeted phishing against students and faculty, and social engineering attacks against institutional IT systems. Under the Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial privacy legislation such as Ontario’s FIPPA and Quebec’s Law 25, affected Canadian institutions have reporting obligations to the Office of the Privacy Commissioner if student data was compromised.
The May 12 leak deadline falls tomorrow. If ShinyHunters publishes the full dataset, the scale of exposure for Canadian institutions shifts from potential to confirmed, triggering mandatory breach notification processes. Institutions that have not already audited their Canvas account types — particularly Free-For-Teacher accounts — should treat this as an active incident, not a vendor problem.
What to Do
First, contact your Instructure account representative to confirm whether your institution is in the affected population and request a full account audit. Second, audit all Free-For-Teacher accounts tied to your institution’s domain and revoke access for accounts that cannot be verified as current staff or faculty. Third, notify your privacy and legal teams now so breach notification timelines do not run past regulatory deadlines if exposure is confirmed tomorrow. Fourth, watch Instructure’s status page and your institutional SIEM for any anomalous API activity or unusual data export events tied to Canvas credentials. If your institution is subject to Bill C-26 or PIPEDA mandatory breach reporting, begin preparing the notification package now so you are not scrambling after May 12.
