← CIO Briefings · High Impact ACTION REQUIRED

ShinyHunters Breach Canvas LMS — University Login Portals Defaced Across US, UK, Australia in Mass Extortion Campaign

Hackers exploited a vulnerability in Canvas LMS — the learning management platform used by over 5,000 universities and school districts globally — to deface university login portals with ransom demands visible to students and staff. The operator of Canvas, Instructure, has confirmed the breach and issued emergency patches. Student and faculty personal data was also exposed. Educational institutions running Canvas should apply the emergency patch and begin FERPA/GDPR notification assessments immediately.

3 min read
#NIS2

What Happened

The ShinyHunters threat group exploited a vulnerability in Instructure’s Canvas LMS — the world’s most widely deployed learning management platform — to simultaneously deface login portals across multiple university and school district clients. The attack replaced institutional login pages with extortion messages visible to any student or staff member attempting to sign in. The same access also exposed student and faculty personal data: names, email addresses, and institutional records.

Instructure disclosed an initial “cybersecurity incident” on 3 May 2026 without confirming the attacker identity or method. The confirmed details released on 11 May 2026 identify ShinyHunters as the operator and describe a vulnerability in Canvas’s portal customisation API as the initial access vector. An emergency patch has been issued.

Business Impact

Direct institutional impact: Universities and schools whose portals were defaced faced immediate reputational damage as students encountered ransom demand messages in place of their institution’s login interface. This public-facing disruption is distinct from typical data breaches and puts pressure on institutions to respond visibly and quickly.

Student and faculty data exposure: The confirmed data exposure includes names, email addresses, and institutional data. The combination of email addresses and institutional context (university affiliation, course enrolment) creates a phishing risk for the affected population. For institutions serving minors in K-12 settings, the disclosure obligations are stricter and the reputational consequences of breach more severe.

Regulatory obligations: US educational institutions are data controllers under FERPA — they hold independent obligations to assess whether individual student notification is required. UK and EU institutions have GDPR Article 33 notification obligations to supervisory authorities within 72 hours of becoming aware. Australian institutions are subject to the Notifiable Data Breaches scheme.

Board-Ready Summary

  • Hackers have defaced university login portals hosted on Canvas LMS with ransom demands — a highly visible attack that students and staff witnessed directly.
  • The breach also exposed student and faculty personal data, triggering data protection notification obligations under FERPA (US), GDPR (UK/EU), and equivalent frameworks globally.
  • Institutions running Canvas must apply an emergency patch this week and begin assessing notification obligations without delay.

For educational institutions running Canvas LMS:

  1. Immediate (today): Confirm with your Instructure account representative that the emergency patch has been applied to your Canvas instance. Instructure’s cloud-hosted customers may have received automatic updates; self-managed deployments require manual patching.

  2. Immediate (today): Review Canvas administrator and API access logs from 28 April 2026 onwards for unexpected API calls, configuration changes, or access from unrecognised IP addresses.

  3. Short-term (this week): Begin a data exposure assessment. Determine what student and faculty records were accessible to the attacker, and whether the scope meets the notification threshold under applicable data protection law.

  4. Short-term (this week): Communicate to students, staff, and faculty about the incident, the remediation steps taken, and what data may have been affected. Proactive communication from the institution reduces confusion and prevents information vacuums that attackers exploit.

  5. Short-term (this week): Engage your data protection officer, privacy officer, or legal counsel to assess notification timelines. Do not wait for Instructure’s centralised guidance if your jurisdiction imposes independent obligations.

  6. Ongoing: Review the API and integration access model for your Canvas deployment. Third-party integrations and administrative API access should be scoped to minimum necessary permissions and audited regularly.