Instructure confirms ShinyHunters used Canvas XSS flaws to deface school login portals and pressure ransom

Instructure confirms that ShinyHunters exploited multiple cross-site scripting flaws in Canvas to deface school login portals on May 7, demanding the company and individual schools negotiate ransom by May 12. The flaws are in user-generated-content features of the free Free-for-Teacher Canvas environment and let the attacker grab authenticated admin sessions. This was a second hit following the original breach disclosed a week earlier that ShinyHunters claims netted 3.6 terabytes covering 8,809 educational organizations and 275 million student, teacher, and staff records. Instructure has taken Free-for-Teacher offline and applied additional safeguards; main Canvas has been restored since May 9.

Check

If your school uses Canvas, check whether students or staff saw the defaced login page on May 7. Review browser logs for any extension that interacted with injected ransom content.

Affected

Canvas instances accessed through the Free-for-Teacher environment between May 7 and Instructure taking it offline. The exploited cross-site scripting flaws sit in user-generated-content features that allowed JavaScript injection. Schools and universities running the paid Canvas LMS are also exposed to the underlying data breach that ShinyHunters used for extortion leverage.

Fix

Wait for Instructure's official statement on which XSS vulnerabilities were exploited and when Free-for-Teacher returns. For paid Canvas tenants, assume usernames, email addresses, course names, enrollment information, and direct messages were part of the 3.6TB leak and treat affected accounts as phishing targets. Force-rotate any API tokens issued for Canvas integrations and audit external integrations that accepted user-generated content.