ShinyHunters Claims 275M Records in Instructure Canvas Breach

Instructure, the company behind Canvas—one of the most widely deployed learning management systems in education—has confirmed a data breach affecting user personal information. The ShinyHunters extortion group claims to have stolen 275 million records spanning students, teachers, and staff from nearly 9,000 schools worldwide.

ShinyHunters has set a May 6 deadline, threatening to leak the full dataset if Instructure doesn't pay. Given the group's track record, they're likely to follow through.

What Instructure Has Confirmed

In a statement released Saturday, Instructure acknowledged that personal information was exposed. According to the company, the compromised data includes:

• Names
• Email addresses
• Student ID numbers
• Messages among users

Instructure stated there is currently no evidence that passwords, dates of birth, government identifiers, or financial information were involved. The company deployed patches, increased monitoring, rotated application keys, and required customers to re-authorize API access with new credentials.

What ShinyHunters Claims

The threat actor's version is more alarming. On their leak site, ShinyHunters posted:

• Nearly 9,000 schools worldwide affected
• 275 million individuals' data compromised
• Over 240 million records tied to students, teachers, and staff
• "Several billions" of private messages between students and teachers
• Data spanning North America, Europe, and Asia-Pacific across 15,000 institutions

BleepingComputer reports they could not independently verify which schools were affected. The discrepancy between ShinyHunters' 15,000 institutions claim and the 9,000 schools figure suggests some inflation, though even the lower number represents a catastrophic breach for the education sector.

ShinyHunters' Track Record

This isn't ShinyHunters' first major breach claim. The group was behind the ADT breach affecting 5.5 million customers last week, where they combined vishing with Okta and Salesforce access to exfiltrate records. They've historically targeted large databases and aren't known for bluffing about data they hold.

ShinyHunters operates a double-extortion model: threaten the victim organization directly, and if payment doesn't come, sell or leak the data. For educational records, secondary markets exist where stolen credentials get packaged for fraud campaigns targeting young adults with thin credit histories.

Why This Matters for Schools

Canvas powers course management, assignment submissions, grading, and communication for K-12 and higher education institutions globally. Students and teachers use the platform daily, sharing messages that may contain personal details, health information, or sensitive academic matters.

The exposed message archive is concerning beyond typical PII theft. Private communications between students and teachers could contain:

• Discussions of learning disabilities or accommodations
• Disciplinary matters
• Mental health conversations
• Academic integrity issues

Even if passwords weren't compromised, the combination of student IDs, email addresses, and private messages creates risks for targeted phishing and social engineering attacks against minors.

For families concerned about protecting their information after incidents like this, our guide on what happens after a data breach covers practical steps for affected individuals.

Second Breach in Eight Months

According to DataBreaches.net, this is Instructure's second disclosed breach in less than a year. The previous incident in late 2025 was smaller in scope, but a pattern of repeated compromises raises questions about the company's security posture.

Instructure went public in 2015, was taken private by Thoma Bravo in 2020 for $2 billion, and has since expanded aggressively into corporate learning markets. Growth-focused acquisitions sometimes outpace security integration work.

What Affected Schools Should Do

Institutions using Canvas should assume their user data may be compromised and take proactive steps:

1. Force password resets for all Canvas users, regardless of Instructure's statement that passwords weren't affected—better safe than sorry
2. Enable MFA if not already required for all user accounts
3. Review API integrations and rotate credentials for any third-party tools connected to Canvas
4. Notify parents and students about the potential exposure and phishing risks
5. Monitor for credential stuffing against other school systems using Canvas email addresses

Teachers should be warned to expect targeted phishing attempts impersonating Instructure or their school's IT department. The stolen data gives attackers everything needed to craft convincing lures.

Ransom Deadline Approaching

ShinyHunters' May 6 deadline is two days away. If Instructure doesn't pay—and most companies advised by incident response firms don't—expect the data to appear on dark web marketplaces or leak sites within the week.

The FBI advises against paying ransoms since payment doesn't guarantee data deletion and funds future criminal operations. For educational institutions, the calculus is complicated by the involvement of minors' data and the regulatory requirements around student privacy under FERPA.

Check Instructure's security bulletin for updates as the situation develops.