Your account
Register Login
Browse
Individuals For Business
← All posts

Analyzing the Instructure Hack!

Instructure — What, Why, How?

June 15, 2026 · Zeke · 4 min read

Warning schools woke up to after Instructure was hacked.

Even if you weren't part of the Canvas breach, you'll still suffer the consequences.

Last month, a group of organized attackers breached Canvas, the learning platform most colleges and districts run on.

The names, emails, ID numbers, and private messages of students and staff of roughly 9,000 schools across the globe were compromised. The group behind it, known as ShinyHunters, didn't break some unbreakable system. They found a side-door through a freemium product tier that ran on the same servers as paid accounts. The identity checks for free accounts were much less involved, and ShinyHunters exploited that fact.

Even if you weren't involved in the breach, it will affect you. Let's talk about how.

Breaches suck. The fallout is even worse.

No one using Canvas could've prevented this. The tool itself was compromised. We couldn't have patched Instructure's broken system, and neither could anyone else. This is the frustrating reality of reliance on cloud-services.

Once the data is out of the box, it isn't just hoarded like gold. It's used to generate more value, often through personalized phishing emails, known as Spear Phishing Attacks.

Phishing attacks can often come off as clumsy "Dear customer, verify your account." These have become incredibly easy to spot, and folk are frequently trained in their identification. What if the phishing attack referenced a real message from last night or a real ID number. Socially engineered attacks are already effective, drop in some personalized information to drop the guard of an unsuspecting victim. It's one of the reasons personal information is so incredibly valuable.

Most security filters miss these because there's nothing obviously fake to catch. Informed people with awareness training struggle because the email looks legitimate. The two defenses most organizations lean on are the two that personalized attacks are built to slip past.

So What! I'm in a totally different industry!

Swap "private messages of students and staff" for "invoice number" and "ID numbers" for "vendor W-9." The attack is industry agnostic. Everyone has information they'd like to keep private.

But every company runs on outside software: Your payroll provider, your CRM, your email host, your accounting tool — they're likely all in the cloud. When one of them gets breached, your information ends up in someone's dataset, and the convincing email lands in your team's inbox a few weeks later. You didn't make the mistake. You inherit the risk anyway.

You can't audit your vendors' servers. You can't out-train a perfect fake. So what's actually left?

Are we just screwed? Fortunately not.

The personalized email can slip past even your most alert employees, but the link inside it still has to go somewhere or do something. Whether that's a fake login page, a credential-harvesting form, or a downloadable file that shouldn't be there.

That moment, the click, is the decision you make. It's the one place you can take ownership of the situation and steer yourself to safety. That's why it's where SAFE Portal work gets to work. Instead of clogging up employee time with training, the browser checks where a link actually goes before your employee hands over a password, and highlights it as an additional warning. If someone continues clicking through, SAFE Portal warns them again upon any possible malware download and every suspicious login page they may encounter. If you're less interested in letting curious people explore dangerous domains, turn off their ability to SAFElist sites, and they'll be insulated from their own morbid curiosity.

It won't stop a vendor from getting breached. Nothing on your end will. What it does is sit between the convincing message and the costly mistake, on the one part of the chain that's yours.

Big enterprises answer this with security teams and six-figure monitoring platforms. If you're a small or mid-sized business without an IT department, that's not an option, and you shouldn't need it to be. We also wanted to make sure you didn't need to rely on a promise from a third party, so we do everything in private. It's not enough that we don't want to see your private information, we've built our tech to make sure that we can't see it.

Download SAFE Portal free · See how it works

Stay protected Get SAFE Portal Free, ~2 minutes to set up Get it now → Read next Caught in the Wild: Perfect Fakes Read the post →

Share this post

Link copied!

Follow SAFE Portal