Originally published on arkensec.com Between April 29 and May 7, 2026, ShinyHunters claimed two consecutive breaches of Instructure — the company behind Canvas, the LMS running on 41% of North American higher ed. The group says it pulled 3.65 TB and 275 million records spanning 8,809 schools, then defaced Canvas login pages when Instructure shipped patches instead of negotiating. No exotic CVE. No kernel exploit. The stated vector: "an issue related to its Free-For-Teacher accounts." 8,809 schools. One free-tier sign-up flow. That number is the point of this post. I want to walk through what the breach shape tells us about multi-tenant API design, where the trust boundary likely failed, and what developers building SaaS on shared infrastructure can actually do about it — with code you can run today.…