Instructure Investigates Unauthorized Changes to Canvas Login Pages

Instructure took its Canvas learning platform offline on May 7 2026 after it discovered unauthorized changes had been made to login pages. The company placed the service into maintenance mode and restored it for most users later the same day. Canvas Beta and Canvas Test systems remained in maintenance mode.

The company is also investigating login difficulties affecting some Student ePortfolios and temporarily shut down Free-For-Teacher accounts after determining they had been exploited.

According to the company, the unauthorized actor injected an HTML file that altered the appearance of login pages at a small number of schools. The altered pages displayed a message claiming responsibility on behalf of ShinyHunters and demanding that Instructure negotiate a settlement by the end of the day on May 12 2026 or face publication of certain data.

The message directed affected schools to consult a cyber advisory firm and contact the actors privately via TOX.

Instructure’s chief information security officer Steve Proud stated on May 2 that the information involved for users at affected institutions included names, email addresses, student ID numbers, and messages exchanged by users on the platform. The company disclosed an earlier incident on Tuesday and said last week that it had deployed patches to enhance system security.

On Wednesday the incident was marked as Resolved, with Proud writing that Canvas is fully operational and that the company is not seeing any ongoing unauthorized activity.

ShinyHunters had previously claimed responsibility for the earlier breach of Instructure and publicized it on its leak site. The group asserted that data belonging to almost 9,000 schools had been taken and that the files contained information on 231 million people, a figure later described by the group as affecting 275 million students, teachers, and other staff.

ShinyHunters published a list of schools it claims to have breached through Canvas. Both Instructure and the listed schools appeared as victims on the group’s dark web site on Thursday before those references disappeared by Thursday evening. The ShinyHunters site later became unresponsive.

Instructure said it regrets the inconvenience and concern the outage may have caused. ShinyHunters has previously claimed responsibility for attacks on Ticketmaster, AT&T, Rockstar Games, ADT, and Vercel. No publicly released evidence has documented the full scale of data exfiltration claimed by the group in either incident.