TRENDAI ™ Research says the Instructure Canvas breach in May 2026 exposed data from 8,809 Canvas customers across 50 countries, affecting universities,K–12 districts and teaching hospitals worldwide, including eight Ivy League institutions.
The leak stems from a backend compromise of the parent company Instructure’s platform, with 2,514 higher education institutions and 1,616 K–12 districts confirmed among the 8,809 entries, and development, UAT and staging instances suggesting backend access or sophisticated API exploitation.
The threat actor SHADOW-AETHER-015 is described as having medium-to-high capability, and TrendAI™ Research notes the group was involved in a 2025 Salesforce compromise, often exploiting trusted third‑party integrations to reach high‑value targets. The breach enables highly convincing follow‑on attacks, including spear‑phishing using real course names, private message history and other institutional context, alongside credential abuse and social engineering risk.
The article emphasises that the data exposed likely includes sensitive personal information such as medical accommodation requests and private adviser conversations, though it does not grant access to internal IT systems. TrendAI™ to monitor Canvas‑related activity and advise on protective steps such as reviewing API integrations and enforcing MFA.