ShinyHunters compromised Instructure's Canvas LMS via the free Free-for-Teacher programme in late April 2026 and lifted around 3.65 TB of data covering roughly 275 million records and 8,809 institutions worldwide, including Oxford and a long list of other universities. Instructure reached an agreement on 11 May. We unpack the entry route, why it lands harder on UK schools, charities and SMBs than it might appear, and what to do across the next 30, 60 and 90 days.
Key takeaways
- ShinyHunters compromised Instructure's Canvas LMS via the free-tier Free-for-Teacher programme in late April 2026, exfiltrating roughly 3.65 TB - about 275 million records across 8,809 institutions - including Oxford and a long list of other universities. The portal defacement on 7 May and the 12 May ransom deadline put the entire incident lifecycle inside two working weeks.
- The data lifted - names, email addresses, student IDs and private course-channel messages - is precisely the field set that fuels credible AI-assisted phishing aimed at parents, donors and finance teams in the months ahead. Refresh phishing-awareness training and message hygiene across staff and student inboxes in the next four weeks.
- Force a credential reset across every Canvas administrator and privileged student account, and move administrative authentication onto passkeys or a hardware key wherever your tenant supports it. The NCSC's April 2026 default-to-passkeys recommendation applies to every administrative role in every SaaS your organisation runs, not just Canvas.
- Build a one-page SaaS inventory: for each supplier, record what data it holds, the contractual notification SLA, your internal supplier owner, and what your organisation will actually do operationally during a multi-day outage. The Canvas incident lifecycle ran end-to-end in roughly two working weeks; an undocumented response will not be assembled inside that window.
- Treat the three actions in the Cyber Resilience Pledge - board-level cyber ownership, the NCSC Early Warning service, and Cyber Essentials across the supply chain - as the standing framework for this kind of event. They directly answer 'who decided', 'how would we have known', and 'did the supplier meet a baseline' the next time a SaaS platform you depend on is defaced.
On 7 May 2026, students and staff at thousands of schools and universities around the world signed in to Canvas and saw a ransom note where the login screen used to be. ShinyHunters, the threat actor better known for last year's wave of Salesforce-instance compromises, had defaced the portals of roughly 330 institutions and claimed to be sitting on 3.65 terabytes of Canvas data — about 275 million records spanning 8,809 institutions, including a long list of UK and international universities. On 11 May, Instructure confirmed it had reached an agreement with the attacker and that the stolen data had been destroyed; the next morning the original 12 May ransom deadline expired without incident. By any honest read of the public record, this is now the largest education-sector breach the industry has ever published numbers for.
For ReadyToday's audience — UK schools, multi-academy trusts, colleges, universities, charities and SMBs — this is the second major supply-chain failure to land in five weeks, and the lessons run a long way past "patch your LMS." The mechanics of the entry route, the time it took for the breach to surface, and the precise data lifted out together describe a failure pattern that maps cleanly onto almost every SaaS platform a small UK organisation depends on in 2026.
What actually happened
According to public reporting from Instructure, Halcyon, The Hacker News, Cybernews, TechRadar, Computing and Hackread, the attackers got in on 25 April through Canvas's Free-for-Teacher (FFT) programme — the no-cost tier that lets individual educators stand up a Canvas tenant without institutional verification. FFT tenants run on the same production Canvas infrastructure as paying customers; the separation is logical rather than physical. The attackers chained cross-site-scripting weaknesses inside FFT to escalate to administrative access against shared production data, then exfiltrated names, email addresses, student ID numbers and private course-channel messages from a long list of paying institutions. The exposure window ran from roughly 30 April to 7 May, when ShinyHunters made the breach public by replacing the Canvas login page with a ransom note.
The institutions named in the criminals' release notes are a who's-who of higher education: Harvard, MIT, the University of Pennsylvania, Rutgers, the University of North Carolina system, and Oxford. The full leak index is reported to cover around 15,000 institutions across the UK, Europe and the United States. Computing reported that exams at several universities were disrupted during the outage, and CNN noted that students in the middle of their finals were locked out of submission windows.
The technical root cause — a free-tier programme running on the same plane as the paid one — is unusual, but the operational shape of the incident is not. A trusted SaaS supplier holds an institution's data, an internal trust boundary fails, and within seven days a threat actor is naming 8,809 customers individually. That is the pattern post #14 covered when we wrote about : one supplier touched, dozens of downstream customers exposed.