{ "Event": { "analysis": "1", "date": "2026-05-09", "extends_uuid": "", "info": "[Threat Intel] Technical Advisory: Breach of Instructure Canvas LMS", "protected": false, "publish_timestamp": "1779546906", "published": true, "threat_level_id": "2", "timestamp": "1778952409", "uuid": "8b1cc71b-0ea8-4adb-b274-dc6938e0a183", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#44212b", "local": false, "name": "misp-galaxy:producer=\"Bitdefender\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#e96364", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Adversary-in-the-Middle - T1557\"", "relationship_type": "" }, { "colour": "#ed66f6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Web Session Cookie - T1539\"", "relationship_type": "" }, { "colour": "#77a4ec", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Email Collection - T1114\"", "relationship_type": "" }, { "colour": "#cb74ba", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Search Victim-Owned Websites - T1594\"", "relationship_type": "" }, { "colour": "#91c667", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Cloud Storage - T1530\"", "relationship_type": "" }, { "colour": "#b25e1b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Use Alternate Authentication Material - T1550\"", "relationship_type": "" }, { "colour": "#65d24c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Gather Victim Identity Information - T1589\"", "relationship_type": "" }, { "colour": "#b206a3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compromise Accounts - T1586\"", "relationship_type": "" }, { "colour": "#08221e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Application Access Token - T1528\"", "relationship_type": "" }, { "colour": "#4b76ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Gather Victim Org Information - T1591\"", "relationship_type": "" }, { "colour": "#2da3e8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Gather Victim Network Information - T1590\"", "relationship_type": "" }, { "colour": "#1acf09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Trusted Relationship - T1199\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#36d931", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Encrypted for Impact - T1486\"", "relationship_type": "" }, { "colour": "#a0d02a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing for Information - T1598\"", "relationship_type": "" }, { "colour": "#a42e64", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Information Repositories - T1213\"", "relationship_type": "" }, { "colour": "#a05856", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Destruction - T1485\"", "relationship_type": "" }, { "colour": "#37c019", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Cloud Accounts - T1078.004\"", "relationship_type": "" }, { "colour": "#abbbbf", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Modify Authentication Process - T1556\"", "relationship_type": "" }, { "colour": "#b8ab01", "local": false, "name": "misp-galaxy:target-information=\"United States\"", "relationship_type": "" }, { "colour": "#b990dd", "local": false, "name": "misp-galaxy:target-information=\"Australia\"", "relationship_type": "" }, { "colour": "#ce59f1", "local": false, "name": "misp-galaxy:target-information=\"United Kingdom\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"ShinyHunters\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"data-breach\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778497212", "to_ids": false, "type": "link", "uuid": "81c54143-1ea9-4593-8ac0-82f3c3ac0c41", "value": "https://businessinsights.bitdefender.com/technical-advisory-shinyhunters-breach-instructure-canvas-lms" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1778497212", "to_ids": false, "type": "text", "uuid": "9d29acec-6d81-4f08-924c-1c3dc0b8ac7c", "value": "In early May 2026, Instructure confirmed a breach affecting its Canvas learning platform after detecting unauthorized activity on May 1. ShinyHunters exploited the Free-For-Teacher account program, compromising the Canvas platform directly and exposing names, email addresses, student IDs, and private messages. The exposure window ran from April 30 to May 7, 2026. ShinyHunters claims 3.6 TB of data covering approximately 275 million users across 9,000 schools globally, including institutions in the US, Australia, and EU. This represents ShinyHunters' second attack against Instructure in eight months. Instructure shut down the Free-For-Teacher program permanently, rotated API keys and privileged credentials, and engaged forensic investigators. The stolen data enables personalized phishing campaigns targeting students and faculty, with attackers potentially having write access sufficient to deface login pages at multiple institutions." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1778497212", "to_ids": false, "type": "text", "uuid": "c161b365-0f10-41cc-87ff-2d377bea91d6", "value": "Name: Technical Advisory: Breach of Instructure Canvas LMS\nAuthor: AlienVault\nAdversary: ShinyHunters\nTags: [\"phishing campaign\", \"api compromise\", \"social engineering\", \"extortion\", \"education sector\", \"data breach\", \"credential theft\", \"canvas lms\"]\nTgtd countries: [\"United States of America\", \"Australia\", \"United Kingdom of Great Britain and Northern Ireland\"]\nMlwr families: []\nAttack_ids: [\"T1557\", \"T1539\", \"T1114\", \"T1594\", \"T1530\", \"T1550\", \"T1589\", \"T1586\", \"T1528\", \"T1591\", \"T1590\", \"T1199\", \"T1566\", \"T1078\", \"T1486\", \"T1598\", \"T1213\", \"T1485\", \"T1078.004\", \"T1556\"]\nIndustries: [\"Education\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1778497212", "to_ids": false, "type": "threat-actor", "uuid": "0b66cbe9-b966-4a22-8d14-cdd59ed83dc7", "value": "ShinyHunters" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778952300", "to_ids": true, "type": "ip-dst", "uuid": "3d25d4f7-ddac-4a64-9db5-c6675c00b753", "value": "91.215.85.103", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778952322", "to_ids": true, "type": "url", "uuid": "4031fa49-9172-4f83-96b8-9093254d713e", "value": "http://91.215.85.103/pay_or_leak/instructure_affected_schools_list.txt", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778952343", "to_ids": true, "type": "url", "uuid": "ec62c2e2-2495-4047-9420-9dc474b415d0", "value": "http://91.215.85.103/pay_or_leak/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778952364", "to_ids": true, "type": "url", "uuid": "732e3d37-743d-477a-8983-76904d2a0c9b", "value": "http://shinypogk4jjniry5qi7247tznop6mxdrdte2k6pdu5cyo43vdzmrwid.onion/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ] } }