[CDP-development] Confirmed Data Breach: Canvas / Infrastructure

Galusha, Kevin KGalusha at clackamas.us
Wed May 6 13:27:38 PDT 2026 

Disruptors,

Sharing an advisory that was sent to the Alaska cyber group regarding Canvas, a solution commonly used by K-12 and Higher Ed.


Thanks,

Kevin Galusha, CISSP
Cybersecurity Architect
Clackamas County Technology Services
(503)723-4960
KGalusha at clackamas.us<mailto:KGalusha at clackamas.us>
www.clackamas.us<http://www.clackamas.us/>

From: Mark Breunig <mark.breunig at alaskacybergroup.org>
Sent: Wednesday, May 6, 2026 1:19 PM
Subject: Alaska Cyber Group Advisory - Canvas/Instructure Confirmed Data Breach

Warning: External email. Be cautious opening attachments and links.
________________________________

________________________________
Hi Everyone, Alaska Cyber Group Public/Private Sector IT-Security Professional Members, The following advisory is TLP CLEAR: On May 3rd, Instructure - the developer of Canvas, a widely used learning management system - confirmed that significant data had been stolen due to a cyberattack. The hacker
<https://login-us.mimecast.com/u/login/?gta=apps&link=cybergraph-report/eyJhbGciOiJSU0EtT0FFUC0yNTYiLCJlbmMiOiJBMjU2R0NNIn0.R0CaJF9XRicKiqNQqH6uDpxE1irvBZe-lNss0qRQWbe_74sLu34ehnwe454_WIYZyw7tStKpAm4zDOSaL9cwY6oUBRodxfvFt_9XsCd7_lJOvVEtulaJfLJm_4BNOubDSf37Em8fuV5FrqFer3bAVZ6Pgo4VKv37AcfXQ_7px5iHycB4SEE1LVcdXRjiDLBMe9GGTX3aFBZT7feGbH1ZDyNwjEmBqNX-vggp81zXnAvBi14ocTqsd1pJw9Xjm5IEtjcYwJ6kAgBB8-LOAqybMJUoDOrlIqrM9JDIgr4Q3H4ZBL8088Ol6xtH6qul6dANwHIxyd6oDbl1a9pMlwFRxQ.v9vNisfs67c1jVOG.Br-PlAXLdJYlWZrCl3TlUBmYiJOYbYUBoWXIYeoMseCfTK2QG7BsMibDpUf0rkl-Yvt3vaoj-FN7UdhdZVY0sL1WxIRrPmnV4nxF55yXF2rafFbgKiDMhOuK_BQudm2dIl-e6IplkKWhTM9xfiHBylR2qtexTy2XK3NPOrj-Rh5J07-OrLKciapKb3xQtKjHbBS6y-a536jrOc0qAYehy1PH2lFCiNGz-2htrO29xZjXqQhT9f34UWAtuVnAPefSFBdjwRSsCqM4wUngQIWOijiZ838kAVlReL1KDBw--4QzUKAp47MOPAbuyXonqCiitJiXRkvBjv-veyUyHTQXHznv0gGKpvptfkUKYdicunbri35wHhKoJaeIIkLfmV7sNWBR4DuzvrO2O64IbPRlFHdE8Z-vLIcsklCIDLhARPgKJadt3qXqw3Z-8VX8JpHD-4KofoZdeVcIdAtlb7VkP_iJXcuPxAVFbFYgmEuHPy0jBUWY-_FuZRCF3BWlENFEDzRZdeTNnJfCSNCzSq4l.fX2acy4HFvkpIurAoqiiBg>
CGBANNERINDICATOR
Hi Everyone,

Alaska Cyber Group Public/Private Sector IT-Security Professional Members,

The following advisory is TLP CLEAR:

On May 3rd, Instructure - the developer of Canvas, a widely used learning management system - confirmed that significant data had been stolen due to a cyberattack. The hacker group ShinyHunters has claimed responsibility. Instructure has been notifying customers confirmed to be impacted; the Alaska Cyber Group is sending this advisory out as amplifying messaging and to raise awareness to entities that utilize Canvas that are not yet aware.

Saturday, Instructure released the following statement:

"While we continue actively investigating, thus far, indications are that the information involved consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users," "At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved. If that changes, we will notify any impacted institutions."

Customers are required to re-authorize access to Instructure's API for new application keys to be issued.

The group ShinyHunters has released the following:

"Nearly 9,000 schools worldwide affected. 275 million individuals data ranging from students, teachers, and other staff containing PII," reads the data leak site.
"Several billions of private messages among students and teachers and students and other students involved, containing personal conversations and other PII. Your Salesforce instance was also breached and a lot more other data is involved."
If your organization utilizes Canvas, please follow the instructions to re-authorize access to Instructure's API for new application keys to be issued and maintain continued awareness for updates or alerts from Instructure. If anyone believes they have been impacted but have not received any communications, please reach out to us and we can confirm whether or not they are on the list provided by ShinyHunters.

The information contained in this product is marked Traffic Light Protocol<https://urldefense.proofpoint.com/v2/url?u=https-3A__click.communications.cyber.nj.gov_-3Fqs-3DABB7InYiOjEsImQiOjQ4NTV9AAoAAAAAAEIdy5iJozRojFEu6tbEoU8asEcbD7wmzDgkZQfcoCj0xjRMnH7qmsJqYFR-2DQxrYLlw8a7x8wcgvmQjHh8FI1LG93P-5FBnBE3vKPdzVE&d=DwMDaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=CHF8RS5RD8ABJLdLVVal90iKCKVWbHlOkJbUV4ODBxrVwDW8JfLNzpoyCTM4eHAt&m=SKeG_hKuRxdyA0Dy_c6O2ga3Trv6oF43HbE2YzlDRwSL2hnofEXUHo8m9g3e2xFy&s=APk7SAZzKAuoSmDgeLwi3SkxWrPwz-vh7zOVEJ2Cqyk&e=> (TLP): CLEAR. Recipients may share this information without restriction. Information is subject to standard copyright rules.

TLP: CLEAR

Reporting
The Alaska Cyber Group encourages recipients who discover signs of malicious cyber activity to contact us via either email or phone.

Respectfully,


Mark Breunig
Chairman
Alaska Cyber Group
Mobile: 907-795-8150
Email: mark.breunig at alaskacybergroup.org<mailto:mark.breunig at alaskacybergroup.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260506/773ee682/attachment-0001.html>

More information about the CDP-development mailing list