Canvas flaw – Instructure says hackers exploited XSS to alter Canvas login portals and post an extortion message, after a prior data theft. Canvas has since been restored.

A confirmed breach is now taking shape around Instructure’s Canvas: the company says attackers exploited a security flaw to tamper with Canvas login portals and leave an extortion note designed to pressure the vendor into ransom talks.

Instructure. the developer of Canvas—a widely used learning management system for schools and universities—confirmed that the incident involved multiple cross-site scripting (XSS) vulnerabilities.. Those flaws allowed the attacker to take control in a way that reached authenticated administrative sessions. giving the threat actor the leverage needed to alter the pages shown to users.

The original intrusion was identified on April 29, when Instructure discovered it had been breached. The company said it immediately revoked the unauthorized access, started an investigation, and brought in outside forensic experts.

A few days later, Instructure acknowledged that data had been stolen. Around the same time, a threat actor posting under the name ShinyHunters published the company on its data leak site, claiming the exfiltration included more than 3.6 terabytes of uncompressed data.

That first breach appears to have set the stage for a second, more overt move. To increase pressure for negotiations, the attacker returned on May 7, using the same vulnerability chain that enabled the initial compromise.

Instructure said the second attack involved injecting malicious JavaScript into user-generated content features. By exploiting the XSS issues, the attackers were able to obtain authenticated admin sessions and then carry out privileged actions, including altering what people saw when logging in.

The company’s confirmation also specified that the exploited issue affected the Free-for-Teacher environment. a free and limited Canvas version for individual educators.. Instructure said the unauthorized actor made changes to pages that appeared when some students and teachers were logged in through Canvas.

At the time of the activity, Instructure temporarily took Canvas offline to prevent the malicious behavior from spreading further, determine what caused the incident, and apply additional safeguards. Free-For-Teacher accounts were shut down as a result while remediation work continued.

ShinyHunters’ defacements were not just cosmetic. The message was placed directly on Canvas login portals with a deadline—reportedly asking the company and schools using the platform to reach out and negotiate a ransom by May 12.

Instructure later restored Canvas. The company said Canvas was available again for use starting May 9, while Free-For-Teacher accounts would remain disabled until the issues were resolved.

While Instructure reported that no data was compromised specifically during the portal defacement phase. the data taken during the initial breach likely included usernames. email addresses. course names. enrollment information. and messages.. Those elements matter because they can be used for targeted follow-on attacks such as phishing. account takeover attempts. and social engineering aimed at students. teachers. and staff.

The scale of the fallout depends in part on what the attackers claim.. ShinyHunters stated that the Instructure breach affects 8,809 educational organizations, including schools, universities, colleges, and online platforms.. The hackers also claimed to have stolen 275 million records belonging to students, teachers, and other staff members.

Cybersecurity experts have long warned that XSS flaws can become far more dangerous when they are combined with session access and admin privileges.. Here. that risk becomes concrete: the same type of vulnerability that can be used to run scripts in a browser was leveraged to reach authenticated administrative control and modify the login experience.

For districts and educators using Canvas. the incident underscores a broader operational challenge: even when a learning platform is restored. trust and safety measures often require extended work to verify what was altered. confirm that accounts are secure. and ensure that any temporary shutdowns do not leave gaps that attackers can exploit later.

Instructure Canvas breach XSS vulnerability education cybersecurity extortion attack learning management system ShinyHunters