Canvas Crushed
5–11–2026 (Monday)
Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, May 11, 2026. The war in Iran continues, with the Strait of Hormuz still closed.
This week, we’ll skip the AI talk, at least for now, and focus on a bit of critical infrastructure news, especially for those of you in education or with kids in school.
Canvas Crushed
News in the cyber realm last week was dominated by not one, but two incidents at Instructure, the parent company of Canvas, whose platform is in use by over 9,000 schools and 275M students.
This may sound familiar, but you’re likely confusing it for the breach at PowerSchool or Illuminate Education, both of which we’ve covered on this show.
Last Thursday, Canvas parent company Instructure put Canvas into maintenance mode - effectively taking it off line for all 9,000 schools, many of which were in finals week.
Reports confirmed the “hackers claim to have stolen students’ names, their personal email addresses, and messages sent between teachers and students.”
Ransomware gang ShinyHunters has claimed responsibility for the breach, and “shared a list of about 8,800 schools allegedly affected by the breach.” Reporting from TechCrunch noted they could not confirm whether all the listed institutions were affected, nor whether they are Instructure customers.
Meanwhile, Canvas hunkered down, and, in an apology from their CEO posted on their Incident Update page, noting:
“Last week, we made a call to get the facts right before speaking publicly. That instinct isn't wrong, but we got the balance wrong. We focused on fact-finding and went quiet when you needed consistent updates. You've been clear about that, and it's fair feedback. We will change that moving forward.”
Starting on or about May 1, Canvas had been investigating an incident, but thought it was under control on 5/6, with their CISO posting “Canvas is fully operational, and we are not seeing any ongoing unauthorized activity.” This will be our final update, he noted.
Following that post, ShinyHunters - who had threatened to release the stolen files if a ransom wasn’t paid - defaced the login page of approximately 330 universities, demonstrating that they still have access and re-asserted their ransom demand, with a deadline of tomorrow - Tuesday, May 12th.
This led to the maintenance mode takedown, and reporting from Wired who called this “a new kind of ransomware debacle.”
We’ll see what happens next on this, but I think it’s worth noting that Education is not defined as one of the 16 designated critical infrastructure sectors, even though CISA does work closely with K-12 stakeholders.
It will be interesting to see just how much detail we get from Canvas here, but the rumor mill is still churning that the initial point of attack was the “Free-for-Teacher” sub-platform, and then leveraging additional vulnerabilities to compromise APIs and steal data, at some point involving stolen privileged credentials.
Again, details remain fuzzy, but I think it’s a safe assumption that we’re going to see more and more news like this as tools to find these sorts of vulnerabilities become more readily available and weaponized (Mythos, yes, but other platforms, as well).
Again, the basics (identity and authentication, least privilege, role-based access, auditing, logging and alerting, etc.) and a general “diversity of defense / defense in depth” strategy are going to give you an opportunity to slow the attackers down, make them noisy, and give you a chance to respond.
In terms of lessons learned from the response methods here that the Infrastructure team used, it’s probably worth getting your comms team involved sooner - or if you don’t have a comms team, having a comms plan that lays out what, when, and how you’ll communicate in the event of an incident. Leaving these decisions as game-time is not a great strategy.
Fundraising
From a fundraising perspective, back to more reasonable numbers for the past week, with a little more than $12.5B in newly committed capital, half of which was put up by THL Partners of Boston, who raised $6.35b for its tenth flagship buyout fund.
Sitting at nearly $150B in newly committed capital for the quarter, and I’ve given up trying to reconcile the market’s behavior in this volatile environment.
Good reminder, I suppose, for all of us to stay focused on those things which we can control, and building habits that help keep us moving in the direction we’ve chosen.
A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and now sign up for our monthly newsletter, the Intentional Dispatch.
We’ll see you next week for another edition of the Intentional Brief.
Links
https://status.instructure.com/incidents/9wm4knj2r64z
https://www.instructure.com/incident_update
https://www.cisa.gov/topics/cybersecurity-best-practices/K12cybersecurity
https://www.wired.com/story/canvas-hack-shinyhunters-ransomware-instructure/