Will Instructure be subject to another major hack before September 1, 2026?

Prediction market on metaculus. Instructure is the company behind Canvas LMS, used by [41%](https://en.wikipedia.org/wiki/2026_Canvas_security_incident) of North American higher education institutions for coursework, exams, grading, and student communication. In the last eight months, it has been hacked twice by [ShinyHunters](https://en.wikipedia.org/wiki/ShinyHunters), a black-hat criminal hacking and extortion group. In September 2025, ShinyHunters [accessed Instructure's Salesforce environment](https://www.instructure.com/resources/blog/security-incident-update), compromising business contact information. Then in late April 2026, the group [exploited a vulnerability in Canvas's Free-For-Teacher accounts](https://www.theregister.com/cyber-crime/2026/05/12/congress-investigates-canvas-breach-after-instructure-cuts-deal-with-shinyhunters/5238927) to exfiltrate an estimated 3.65 terabytes of data — including names, emails, student IDs, and billions of private messages — affecting approximately 275 million users across 8,809 institutions. After Instructure attempted to patch the vulnerability without negotiating, the ShinyHunters [re-entered on May 7 through the same vulnerability](https://www.theregister.com/cyber-crime/2026/05/12/congress-investigates-canvas-breach-after-instructure-cuts-deal-with-shinyhunters/5238927), defacing login pages with ransom demands and triggering a global Canvas outage during exams week, leading many universities to postpone finals. Instructure [ultimately paid a ransom](https://www.insidehighered.com/news/tech-innovation/administrative-tech/2026/05/11/instructure-pays-ransom-canvas-hackers) in exchange for data destruction and assurances against further extortion. [At least three class-action lawsuits have been filed](https://www.abc4.com/news/wasatch-front/lawsuits-instructure-data-breach/) alleging Instructure failed to protect user data (including that of minors) and that the outage cut off access to materials students needed to study for finals. The [U.S. House Homeland Security Committee has summoned CEO Steve Daly](https://techcrunch.com/2026/05/13/us-lawmakers-demand-answers-from-instructure-after-canvas-data-breaches/) for a briefing by May 21, 2026, and the [FBI, CISA, and Department of Education are all engaged](https://fsapartners.ed.gov/knowledge-center/library/electronic-announcements/2026-05-12/technology-security-alert-ongoing-cybersecurity-incident-involving-canvas-learning-management-system). Instructure [states that Canvas is fully operational with enhanced security measures](https://www.instructure.com/incident_update), though its forensic investigation remains ongoing. Cybersecurity experts have [noted that paying the ransom risks incentivizing future attacks](https://www.insidehighered.com/news/tech-innovation/administrative-tech/2026/05/11/instructure-pays-ransom-canvas-hackers). The sheer concentration of educational infrastructure on a single platform means another breach would compound reputational, legal, and operational damage at a scale difficult to absorb.

Resolves: 9/1/2026.