We’re currently working to identify a robust list of Indicators of Compromise (IOCs) and will make those available to our customers.

https://www.instructure.com/incident_update

It worries me they've only committed to making it available to their customers and not the public.

I read online that it has to do with their "Free-For-Teachers accounts" which I assume is a way for teachers to get access to Canvas services for free when their school doesn't subscribe to it.

I don't know for sure, but I think it probably had to do with some kind of misconfiguration on an Salesforce Experience Cloud site. I have heard that ShinyHunters often exploits this type of service and that it is very easy for companies to forget to set the right permissions to data and they end up throwing a bunch of different data into Salesforce.

This blog post[0] suggests that, based on their changelog after the incident, the hackers may have extracted session tokens using XSS in a support ticket. Then the ransom note was displayed using a custom theme.

[0]: https://cyber.acmucsd.com/canvas (disclosure: I was involved with this org when I was a student)