Instructure Breach Exposes Data of Millions as ShinyHunters Claims 9,000 Schools Hit

Instructure, the maker of the Canvas learning platform, announced that attackers accessed private information stored in its systems. The company said some products were taken offline for maintenance and were restored by Tuesday. ShinyHunters, a financially motivated hacking group known for extortion, posted a claim on its leak site and shared a data sample with TechCrunch.

- Instructure confirmed the breach exposed students’ private information, including names, personal email addresses and messages between teachers and students. - ShinyHunters told TechCrunch the breach impacted nearly 9,000 schools globally and about 275 million people, with 231 million unique email addresses in the stolen data. - The hacker group provided a sample containing data from a Massachusetts school (messages, names, emails, some phone numbers) and a Tennessee school (full names and emails). No passwords were in the sample. - Instructure lists over 8,000 institutions as customers; ShinyHunters shared a list of roughly 8,800 schools allegedly affected, though TechCrunch could not verify each entry.

The incident highlights the risk of centralized education platforms holding large volumes of personal data. If the attackers’ numbers are accurate, the breach ranks among the largest education‑sector data exposures. Schools relying on Canvas may face increased phishing and identity‑theft risks for students and staff. The lack of password exposure reduces immediate credential‑stuffing danger, but leaked messages could enable social engineering.

- Enforce multi‑factor authentication on all admin and user accounts for Canvas and related services. - Review and restrict API access; apply the principle of least privilege to integrations. - Monitor logs for unusual data exfiltration patterns, especially large outbound transfers to unfamiliar IP addresses (MITRE ATT&CK T1041). - Apply the latest security patches for any third‑party components used with Canvas; subscribe to Instructure’s security advisory mailing list. - Educate students and staff about recognizing phishing attempts that may reference leaked course messages.