The Instructure (Canvas) Incident
On May 2, 2026, Instructure — the U.S.-based company that owns the Canvas Learning Management System (Canvas LMS) — publicly disclosed that the threat-actor group ShinyHunters had compromised its environment. Canvas is one of the most widely deployed LMS products in education globally, used by approximately 8,800 to 9,000 school districts, universities, K-12 schools, and online education platforms — and by an estimated 275 million end users (students, teachers, and staff combined). The threat actor has claimed responsibility for stealing roughly that 275-million-record dataset and is operating the incident as a ransomware-style extortion against Instructure, threatening a public leak unless Instructure responds.
Per Instructure's own May 2, 2026 public announcement (cited in the DLSU statement reproduced below):
- Affected data categories (global scope): full names, email addresses, student ID numbers, and messages exchanged within the Canvas platform
- Reported as not involved: passwords, dates of birth, government identifiers, financial information
Instructure has stated it engaged a third-party forensics firm, notified law enforcement (FBI, CISA, international partners), revoked compromised credentials and access tokens, deployed platform-wide remediation, rotated internal keys, and restricted token-creation pathways across the platform.
Philippine Scope
Canvas is widely deployed across Philippine higher education, frequently under local brand names. As of the most recent update to this entry, the Philippine institutional landscape splits into three categories:
Confirmed by the institution:
- De La Salle University (DLSU) — confirmed via Office of the President statement (May 6, 2026) signed by Br. Bernard S. Oca FSC. DLSU brands its Canvas deployment as AnimoSpace. Full statement is reproduced verbatim in this entry's `schoolStatement` field
- Ateneo de Manila University (ADMU) — confirmed via the IT Security Advisory issued by the Office of the Vice President for Digital Information and Technology Services on May 7, 2026. The advisory states: "Instructure, the provider of Ateneo de Manila University's Canvas learning management system, recently notified the University of a cybersecurity incident affecting their infrastructure." Ateneo has activated incident response protocols, engaged legal counsel and data protection personnel, and committed to direct individual notification "should circumstances warrant"
Issued institutional statement, coordinating with Instructure, status not yet definitively confirmed:
- University of Santo Tomas (UST) — UST's Office of Information and Communication Technology (OICT) issued two memoranda on May 8, 2026, placing the UST Cloud Campus under security maintenance from May 9 to May 10, with required system-wide re-login and account reauthentication. OICT stated: "At this time, there is no indication of unauthorized access to University systems beyond the reported platform incident," and indicated the University is "coordinating with developer Instructure to determine whether any UST-related data was compromised." UST migrated to Canvas in 2023 from Blackboard, replacing two decades of prior LMS use
- University of the East (UE) — UE issued a statement on or before May 8, 2026 (carried by GMA News) stating the University is "aware of the situation" and "closely coordinating with Instructure and monitoring official updates regarding the matter. Canvas LMS remains operational and accessible to UE constituents." The University advised students, faculty, and employees to "exercise vigilance, particularly against suspicious emails, links, or messages that may attempt to exploit the situation through phishing or related activities." UE has a separate prior incident on this site — see University of the East 2019 breach
Experienced Canvas service disruption (no separate institutional advisory observed):
- San Beda University — per The Varsitarian, San Beda experienced disruption when Canvas went offline on the Friday morning following the incident, alongside Ateneo. This is consistent with Instructure taking the platform briefly offline globally for maintenance and does not on its own confirm San Beda was among Instructure's notified affected clients. SchoolBreach.org will update this entry if and when San Beda issues a public statement either way
Other higher-education institutions — given Canvas's deployment footprint in Philippine universities, additional confirmations are likely as Instructure continues issuing per-school notifications. SchoolBreach.org will track and document each as confirmation becomes public.
This entry is tracked as a multi-institution Philippine incident: it aggregates every Philippine higher-education institution publicly tied to the Instructure / Canvas breach into a single record, rather than spinning out per-school entries for the same upstream third-party-processor incident. The structure follows the precedent set by the Multiple Philippine Schools (LMS Platform Breach, August 2025).
Instructure's May 6 Status Update
On May 6, 2026, Instructure declared its Canvas platform "fully operational" in a status update from Steve Proud, Instructure's Chief Information Security Officer: "While our investigation continues alongside our outside forensics experts, at this stage we believe the incident has been contained." Instructure has reiterated that the breach compromised names, email addresses, student ID numbers, and internal messages, but that there is no current evidence that passwords, dates of birth, government identifiers, or financial information were stolen — adding "if that changes, we will notify any impacted institutions."
DLSU's Institution Statement
De La Salle University's Office of the President, signed by Br. Bernard S. Oca FSC, President, issued a community announcement on May 6, 2026, addressed to "Students, Faculty members, and Parents." The full statement is reproduced verbatim in the `schoolStatement` field of this entry below; selected operative paragraphs:
"Please be informed that Instructure, the company that owns Canvas Learning Management System, has experienced a data breach. Canvas is referred to as AnimoSpace in De La Salle University.
In the May 6, 2026 notification to DLSU, Instructure has confirmed that our University is among their affected clients but they have yet to confirm what specific data were affected for each school. Instructure did communicate that they found no indication that passwords, dates of birth, government identifiers, or financial information were involved.
As this incident is limited to Instructure's environment, we assure the community that other IT-enabled systems in the University are not affected."
The institution's position is:
- 1.The incident is publicly acknowledged immediately upon DLSU's receipt of Instructure's notification
- 2.The compromise is at the third-party-processor level (Instructure / Canvas), not in DLSU's own infrastructure
- 3.The specific DLSU-scope of affected data has not yet been clarified by Instructure and DLSU is awaiting that information
- 4.DLSU's own systems (other than the AnimoSpace integration with Canvas) are not affected
- 5.The university has prepared to notify the National Privacy Commission "in case additional information from Instructure warrants for the incident to be reported to the regulator"
Ateneo de Manila University's Institution Statement
The Ateneo de Manila University's Office of the Vice President for Digital Information and Technology Services issued a formal IT Security Advisory on May 7, 2026, the day after DLSU's confirmation. Selected operative paragraphs:
"Instructure, the provider of Ateneo de Manila University's Canvas learning management system, recently notified the University of a cybersecurity incident affecting their infrastructure.
Instructure has confirmed that Canvas remains fully operational and that they are not seeing any ongoing unauthorized activity. Members of the University community may therefore continue using Canvas for teaching and learning activities.
The University is working closely with Instructure to obtain more detailed information from their ongoing investigation, which is being conducted with the assistance of external forensic experts. The University will continue to assess any potential impact on institutional data as further information becomes available and will provide updates accordingly.
The University has activated its incident response protocols, including the engagement of legal counsel and data protection personnel. Should circumstances warrant individual notification, the University will communicate directly with affected individuals and coordinate with the appropriate authorities in accordance with applicable data protection requirements."
Ateneo's position is:
- 1.Confirmed receipt of an Instructure notification regarding the platform-level incident
- 2.Canvas remains operational at Ateneo and continued use is endorsed
- 3.Investigation is ongoing; potential impact on institutional data is still being assessed
- 4.Incident response protocols activated, including legal counsel and data protection personnel
- 5.Committed to direct individual notification "should circumstances warrant"
Timeline
- May 2, 2026 — Instructure's first public announcement of the cybersecurity incident; the company advised that names, email addresses, student ID numbers, and platform messages were affected globally, but at that point did not confirm which client schools were affected
- May 6, 2026 — Instructure declares Canvas "fully operational" with the incident "contained" per CISO Steve Proud's statement on the Canvas status page
- May 6, 2026 — Instructure's private notification to DLSU confirming the University is among affected clients
- May 6, 2026 — DLSU Office of the President releases the community announcement (the statement reproduced in this entry)
- May 6, 2026 (within hours of the President's statement) — DLSU's official student publication The LaSallian publishes its own coverage on Facebook quoting Br. Oca's confirmation
- May 7, 2026 — Ateneo de Manila University issues an IT Security Advisory from the Office of the VP for Digital Information and Technology Services confirming Instructure has notified the University of the incident
- May 8, 2026 — UST's Office of Information and Communication Technology issues two memoranda placing the UST Cloud Campus under security maintenance from May 9 to May 10, while awaiting Instructure's per-institution determination
- May 8, 2026 — University of the East (UE) issues a statement, carried by GMA News, stating the University is "closely coordinating with Instructure and monitoring official updates" and that Canvas LMS "remains operational and accessible to UE constituents"
- May 9–10, 2026 — UST Cloud Campus security maintenance window with required system-wide re-login and reauthentication
What Was Affected
Per Instructure's own May 2, 2026 announcement (cited in the DLSU statement):
- Affected data categories: full names, email addresses, student ID numbers, messages exchanged within the Canvas platform
- Reported as not involved: passwords, dates of birth, government identifiers, financial information
Instructure has not yet confirmed the specific record count or data-field breakdown for any individual Philippine institution's deployment. Each affected university has stated it is awaiting that clarification.
What the Affected Institutions Have Done
De La Salle University (DLSU)
Per the May 6, 2026 Office of the President statement:
- 1.Continuous monitoring of Instructure's announcements
- 2.Confirmed system administrator accounts remain intact and unadulterated, per Instructure's recommendation
- 3.ASIST, ISTS, and the Data Protection Officer are working closely to re-evaluate any risks against new information from Instructure
- 4.Prepared NPC notification in case additional information from Instructure warrants reporting to the regulator under RA 10173
- 5.Established a community-facing reporting channel at `databreach@dlsu.edu.ph` for suspicious phishing emails referencing the incident
- 6.Provided AnimoSpace support contacts for community members experiencing account issues — `animospace.support.is@dlsu.edu.ph` (grades 4 to 10) and `asist.support@dlsu.edu.ph` (Senior High School, undergraduate, graduate, law)
Ateneo de Manila University (ADMU)
Per the May 7, 2026 IT Security Advisory:
- 1.Activated incident response protocols, including engagement of legal counsel and data protection personnel
- 2.Endorsed continued use of Canvas for teaching and learning, citing Instructure's confirmation that the platform remains operational with no ongoing unauthorized activity
- 3.Coordinating directly with Instructure to obtain more detailed information from the ongoing forensic investigation
- 4.Committed to direct individual notification "should circumstances warrant"
University of Santo Tomas (UST)
Per the May 8, 2026 OICT memoranda:
- 1.Placed the UST Cloud Campus under security maintenance from May 9 to May 10
- 2.Required system-wide re-login and account reauthentication as a precautionary measure
- 3.Coordinating with Instructure to determine whether any UST-related data was compromised
- 4.Stated there is "no indication of unauthorized access to University systems beyond the reported platform incident"
University of the East (UE)
Per the public statement carried by GMA News on or before May 8, 2026:
- 1.Closely coordinating with Instructure and monitoring official updates
- 2.Canvas LMS remains operational and accessible to UE constituents
- 3.Advised vigilance against suspicious emails, links, or messages that may exploit the situation through phishing
San Beda University
No separate institutional advisory has been observed as of mid-May 2026. Per The Varsitarian, San Beda experienced Canvas service disruption alongside Ateneo during the platform's brief global offline window. This entry will be updated if and when San Beda issues a public statement.
What Instructure Has Done (per institution statement)
Per the DLSU statement, Instructure has reported it has:
- 1.Engaged a leading third-party forensics firm to support investigation
- 2.Notified law enforcement, including the FBI, U.S. Cybersecurity and Infrastructure Security Agency (CISA), and international law-enforcement partners
- 3.Disabled the compromised accounts and revoked all associated access and tokens
- 4.Remediated the underlying vulnerability and deployed platform-wide protections
- 5.Rotated internal keys and restricted token-creation pathways across the platform
Why This Matters
- Third-party-processor risk at sector scale — the structure of this incident differs from most other 2026 entries on this tracker. None of the affected universities' own systems were breached; the compromise is at the LMS vendor level. Because Canvas is deployed across so many Philippine higher-education institutions, a single processor-level event simultaneously triggers RA 10173 notification obligations at every affected institution — each remains the personal-information controller for its own community, even though the underlying breach occurred at the processor's environment
- Diverse right-of-reply responses, in one frame — this entry captures Philippine higher education's range of disclosure postures side by side: DLSU's same-day Office-of-the-President statement, Ateneo's next-day formal IT Security Advisory from the VP for DITS, UST's two-memorandum precautionary maintenance window, UE's public coordinating statement, and San Beda's (so far) silence. DLSU's same-day disclosure is the strongest right-of-reply response documented on this site to date and contrasts sharply with the silence around many threat-actor-claimed incidents in the same week — compare with the DepEd Training Platform CSV leak (May 3), where the institution has not issued a public statement, and with the May 1–3 Nullsec/Crypt0nymz school batch
- Sector-wide exposure to Canvas — Canvas (Instructure) is widely deployed across Philippine higher education, often under different local brand names (DLSU's AnimoSpace is one example). The publicly known Philippine footprint is already at least five universities and is likely to grow as Instructure continues its per-school notifications and as additional institutions decide to issue public statements
- Limited-data scope per Instructure's statement — Instructure's reporting that passwords, dates of birth, government identifiers, and financial information were not involved limits the immediate identity-theft and credential-stuffing risk relative to a typical bulk database leak, though it does not eliminate the targeted-phishing risk that DLSU, UE, and others have explicitly warned their communities about
Recommended Actions for Affected Communities
If you are a student, faculty member, or staff member at any institution that uses Canvas — confirmed-affected or not — the operative recommendations across the issued institutional statements converge on:
- 1.Be vigilant against suspicious email messages, especially any referencing your institution, Canvas, AnimoSpace, or Instructure, while Instructure clarifies the per-institution data scope
- 2.Report suspicious phishing emails through your institution's channel — e.g., DLSU's `databreach@dlsu.edu.ph` for the DLSU community
- 3.Consider changing the password associated with your Canvas/AnimoSpace/Cloud-Campus account as a precautionary measure (not specifically recommended by Instructure, but suggested by DLSU and consistent with UST's required reauthentication)
- 4.Continue using Canvas for teaching and learning unless your institution has issued specific guidance otherwise; Canvas is reported as operational, and Ateneo and UE have explicitly endorsed continued use
- 5.Use your institution's official support channels for account issues — e.g., DLSU's `animospace.support.is@dlsu.edu.ph` (grades 4–10) and `asist.support@dlsu.edu.ph` (SHS, undergraduate, graduate, law)
Recommended Actions for Other Philippine Institutions Using Canvas
- Confirm with Instructure whether your institution is on the affected list — Instructure has been issuing per-school notifications since the May 2 public announcement
- Identify your local brand name for Canvas (e.g., DLSU's AnimoSpace, UST's Cloud Campus) so that community communications are clear
- Pre-position a community-facing reporting channel for phishing (DLSU's `databreach@dlsu.edu.ph` is the right pattern)
- Brief your Data Protection Officer on the incident regardless of confirmation status; the DPO should be the single point of contact for any subsequent Instructure communications
- Issue a public statement as soon as confirmation arrives — DLSU's same-day disclosure, Ateneo's next-day formal advisory, and UST's two-memorandum precautionary posture are all defensible models and have materially improved each institution's reputational position relative to the alternative of silence
Cross-references on this site
The Philippine universities named in this entry have separate prior incidents tracked on this site that are unrelated to the third-party-processor scenario described here:
- De La Salle University (DLSU) — 2023 cyberattack — separate incident on DLSU's own systems
- De La Salle University (DLSU) — 2020 Data Leak — older incident
- University of the East 2019 breach — prior UE incident
Institution Statement
Right of Reply — Official statement from the named institution
Dear Students, Faculty members, and Parents, Please be informed that Instructure, the company that owns Canvas Learning Management System, has experienced a data breach. Canvas is referred to as AnimoSpace in De La Salle University. While Instructure has not yet provided us with information on what personal data may have been affected, we are releasing this announcement as a precautionary measure. This will allow all of us to take action that may help protect our Canvas accounts and prevent ourselves from falling victims to phishing emails. What data was affected? In the May 2, 2026 public announcement, Instructure advised that names, email addresses, and student ID numbers, as well as messages among users were affected but they have yet to confirm which of their client schools are affected. In the May 6, 2026 notification to DLSU, Instructure has confirmed that our University is among their affected clients but they have yet to confirm what specific data were affected for each school. Instructure did communicate that they found no indication that passwords, dates of birth, government identifiers, or financial information were involved. What has Instructure done to mitigate the incident? - Engaged a leading third-party forensics firm to support investigation - Notified law enforcement, including the FBI, U.S. Cybersecurity and Infrastructure Security Agency (CISA), and international law enforcement partners - Disabled the compromised accounts and revoked all associated access and tokens - Remediated the underlying vulnerability and deployed platform-wide protections - Rotated internal keys and restricted token creation pathways across the platform What actions were done by DLSU? - We are continuously monitoring announcements from Instructure. - Per the recommendation of Instructure, we have confirmed that the University's system administrator accounts remain intact and unadulterated. - ASIST, ISTS, and the DPO are working closely to re-evaluate any risks in relation to new information that we will receive from Instructure. - We have prepared to notify the National Privacy Commission in case additional information from Instructure warrants for the incident to be reported to the regulator. What actions must you take? - While we are waiting for Instructure to confirm what personal information was affected, we urge everyone to be vigilant against suspicious email messages. Report suspicious messages that you receive in your DLSU email to databreach@dlsu.edu.ph. - While not specifically recommended by Instructure, you may want to change the password associated with your AnimoSpace account. - There should be no impact on your access to AnimoSpace. However, if you experience any issues with your account, please email: animospace.support.is@dlsu.edu.ph (grades 4 to 10) asist.support@dlsu.edu.ph (SHS, undergraduate, graduate, or law) As this incident is limited to Instructure's environment, we assure the community that other IT-enabled systems in the University are not affected. Thank you. In St. La Salle, (SGD.) Br. Bernard S. Oca FSC President De La Salle UniversitySources & References
All sources are independently verified. Access dates and archive links are recorded for each citation.
- [1]DLSU Office of the President — Update on Canvas Cybersecurity Incident — Community announcement signed by DLSU President Br. Bernard S. Oca FSC, addressed to students, faculty, and parents, confirming Instructure's notification of DLSU as an affected client and detailing timeline, mitigation actions, and community contact channels (May 6, 2026). Distributed via DLSU's official communication channels.Accessed: May 6, 2026
- [2]The LaSallian — DLSU among institutions affected by Instructure breach — Coverage by DLSU's official student publication confirming that DLSU President Br. Bernard Oca FSC has confirmed the University was among institutions affected by the Instructure data breach, and that DLSU is prepared to cooperate with Instructure in evaluating risks (May 6, 2026).Accessed: May 6, 2026
- [3]Ateneo de Manila University — IT Security Advisory: Global Instructure/Canvas Incident — Official advisory from the Office of the Vice President for Digital Information and Technology Services confirming that Instructure has notified Ateneo de Manila University of the cybersecurity incident, that Canvas remains operational, and that the University has activated incident response protocols including legal counsel and data protection personnel (May 7, 2026).Accessed: May 12, 2026
- [4]The Varsitarian — UST Cloud Campus 'under maintenance' amid global Canvas cyberattack — Coverage by UST's official student publication of the UST OICT memoranda placing the Cloud Campus under security maintenance from May 9 to May 10. Cites Asst. Prof. Jerralyn Padua (assistant to the rector for ICT) stating 'no indication of unauthorized access to University systems beyond the reported platform incident' while UST coordinates with Instructure. Also names Ateneo de Manila University and San Beda University as having experienced Canvas service disruption in the same timeframe (May 8, 2026).Accessed: May 12, 2026
- [5]GMA News — Education tool Canvas hacked, affecting US colleges, PH's University of the East — Mainstream Philippine media coverage (GMA Network / Reuters byline) reporting that the University of the East has issued a statement on the Instructure Canvas incident, stating it is 'closely coordinating with Instructure' and that Canvas LMS remains operational and accessible to UE constituents. The article also references US college coverage (Harvard Crimson, Daily Pennsylvanian, Duke Chronicle, UCLA, University of Nebraska) and the ShinyHunters May 12 deadline (May 8, 2026).Accessed: May 12, 2026
- [6]Instructure (Canvas) cybersecurity incident — TechCrunch — Coverage of the underlying Instructure breach: ShinyHunters threat-actor claim, ~275M records, ~8,800–9,000 affected institutions globally (May 5, 2026).Accessed: May 6, 2026
- [7]Instructure hacker claims data theft from 8,800 schools, universities — BleepingComputer — BleepingComputer's reporting on the ShinyHunters claim, the 8,800-institution affected-clients list shared with the publication, and the ransomware-style extortion timeline against Instructure (May 2026).Accessed: May 6, 2026
- [8]Instructure data breach scope — SecurityAffairs — Independent reporting on the Instructure incident, scope of affected institutions, and ShinyHunters extortion claims (May 2026).Accessed: May 6, 2026