PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

Canvas Restored After Hack, Breach Traced to 'Free-For-Teacher' Accounts

Canvas found no evidence that any user information was stolen this week. However, the hackers were able to loot data during an April 29 intrusion.

Michael Kan
 & Michael Kan Principal Reporter

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS
(Credit: Instructure)

Access to Canvas has been restored following yesterday's widespread outage that ensnared thousands of universities and schools. However, Canvas’s developer, Instructure, has temporarily shut down the "Free-For-Teacher" service after hackers exploited it to infiltrate the platform.

For hours on Thursday, students and professors struggled to access the online platform used to submit assignments and tests. Instructure now says it took Canvas offline as a precaution after the cybercriminal gang ShinyHunters placed an extortion note on the service.

“We have since confirmed that the unauthorized actor carried out this activity by exploiting an issue related to our Free-For-Teacher accounts,” the company said in a FAQ about the incident. 

Instructure didn’t elaborate on the nature of the vulnerability. But it looks like the company's free offering for teachers created a pathway to hijack portions of the online system. ShinyHunters has been known to make English-language phone calls and impersonate employees to trick company employees into granting internal access.

The hackers initially exploited Free-For-Teacher accounts on April 29, which Instructure previously disclosed. But while Instructure seemingly booted the hackers, ShinyHunters regained access on Thursday to post the extortion note across Canvas. 

The good news is that Canvas found no evidence that any user information was stolen this week. However, the hackers were able to loot data during the April 29 intrusion, including “names, email addresses, student ID numbers, and messages among Canvas users.” 

Instructure says it has fully removed the hackers. But to do so, the company decided to pull the Free-For-Teacher service offline as it works to bolster Canvas security. “This was a difficult decision because Free-For-Teacher accounts are an important part of our platform, but it was the right step to protect customers and users while we complete additional safeguards,” it says.

Recommended by Our Editors

Report Cites Misinformation As Key Threat to Election Security, Doesn't Name the Biggest Offenders
Report Cites Misinformation As Key Threat to Election Security, Doesn't Name the Biggest Offenders
Meta's AI Chatbot Allegedly Helped Hackers Hijack Instagram Accounts
Meta's AI Chatbot Allegedly Helped Hackers Hijack Instagram Accounts
Craigslist Founder Teams Up With a Muppet to Persuade People to Stop Clicking on Scams
Craigslist Founder Teams Up With a Muppet to Persuade People to Stop Clicking on Scams

'Presumably, Parents Will Be Outraged'

The outage has likely dealt a major reputational blow to Instructure and Canvas. Malware research and library service VX Underground notes that it doesn’t appear ShinyHunters stole highly sensitive information, only names and school-related email addresses. Nevertheless, the breach exposed details about underage students since Canvas is also widely used by K-12 school districts.  

“Presumably, parents will be outraged, and this will inevitably result in a lawsuit against the schools or Canvas,” VX Underground adds. In the meantime, some universities are delaying final exams due to the Canvas outage. The stolen messages between students and teachers over Canvas could also expose sensitive details.

It remains unclear if Canvas paid a ransom to ShinyHunters, which threatened to leak the stolen data. The group reportedly removed Infrastructure from its website, suggesting that a deal had been made. “We are not commenting and have no further comment to make regarding this global incident,” ShinyHunters says.

In a statement, the FBI urged people not to pay any ransoms. "By receiving a message, that does not necessarily mean your personal information has been compromised. Threat actors often exaggerate or fabricate their access to sensitive or personal information to prompt payment from victims," it says. "We encourage individuals to be cautious of unsolicited emails, calls, or texts claiming to be from your school, the [Canvas], or law enforcement and to verify the contact through known channels before responding."

For now, Instructure says Canvas is safe to use, adding: “Our external forensic partner has reviewed the known indicators and found no evidence that the threat actor currently has access to the platform.”

The company is also reaching out to all affected institutions. We don't know how many were hit, but ShinyHunters previously claimed to have targeted nearly 9,000 groups, including school districts and universities, suggesting millions of students were affected.

Instructure added: “As we respond to this incident, we're focused on three things: completing a rigorous investigation, communicating verified information to impacted customers, and continuing to strengthen the safeguards that protect customer and student data. Trust is earned through actions and we’re committed to earning yours.”

About Our Expert

Michael Kan

Michael Kan

Principal Reporter

My Experience

I've been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I'm currently based in San Francisco, but previously spent over five years in China, covering the country's technology sector.

Since 2020, I've covered the launch and explosive growth of SpaceX's Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I've combed through FCC filings for the latest news and driven to remote corners of California to test Starlink's cellular service.

I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. In 2024 and 2025, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.

I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I'm now following how the AI-driven memory shortage is impacting the entire consumer electronics market. I'm always eager to learn more, so please jump in the comments with feedback and send me tips.

The Best Tech I've Had:

  • My first video game console: a Nintendo Famicom
  • I loved my Sega Saturn despite PlayStation's popularity.
  • The iPod Video I received as a gift in college
  • Xbox 360 FTW
  • The Galaxy Nexus was the first smartphone I was proud to own.
  • The PC desktop I built in 2013, which still works to this day.

Read the latest from Michael Kan

Read full bio