Instructure Breach Exposes Data of 275 Million Users as ShinyHunters Claims Responsibility

Instructure, the U.S. maker of the Canvas learning management system, disclosed on Friday that it suffered a cybersecurity incident and is working with outside experts and law enforcement. On Saturday the company updated that personal information of users had been accessed. The attacker allegedly exploited a vulnerability in Instructure’s systems, which has since been patched.

- Exposed data includes names, email addresses, student ID numbers, and user‑to‑user messages; no evidence yet shows passwords, birth dates, government IDs, or financial data were taken. - ShinyHunters claims the breach affected roughly 9,000 schools and the personal data of about 275 million students, teachers, and staff worldwide. - The threat actor says the dataset contains over 240 million records, including enrolled courses and private conversations, and that a Salesforce instance was also compromised. - Instructure has deployed patches, increased monitoring, and rotated application keys; customers must re‑authorize API access for new keys.

The incident highlights the risk posed by vulnerabilities in widely used edtech platforms, especially when attackers chain access to ancillary services like Salesforce. Exposure of messaging content can enable social engineering or credential‑phishing campaigns against educators and students. While financial data appears untouched, the sheer volume of personally identifiable information raises concerns about identity theft and targeted scams.