Instructure Breach Exposes Names, Emails and Student IDs After 3.65 TB Heist

Context Instructure, the Utah‑based provider of the Canvas learning platform, reported a weekend‑long outage that began on April 30. The disruption stemmed from compromised API keys used by third‑party tools. By May 3 the company restored access to its Canvas Data 2 service and began re‑issuing application keys.

Key Facts - Attackers accessed personal identifiers: names, email addresses and student ID numbers. User messages were also taken. - Instructure found no evidence that passwords, birth dates, government IDs or financial data were compromised. - The extortion group ShinyHunters posted the stolen files on a Tor‑hosted leak site, claiming 3.65 TB of data covering roughly 275 million students, teachers and staff at about 9,000 institutions worldwide. - The breach also reportedly included the company’s Salesforce customer‑relationship system, though Instructure has not confirmed the extent. - Forensic investigators were engaged on May 1, and the firm revoked privileged credentials, rotated access tokens and deployed additional monitoring.

What It Means The exposed data set is sufficient for credential‑stuffing attacks if combined with passwords obtained elsewhere, and for targeted phishing campaigns against students and faculty. While financial and government identifiers remain safe, the loss of student IDs creates a persistent identifier that can be leveraged for social engineering.

Mitigations - Immediately rotate all API keys and OAuth tokens linked to Canvas integrations. - Enforce multi‑factor authentication for privileged accounts and any service that accesses student data. - Deploy detection signatures for MITRE ATT&CK techniques T1078 (Valid Accounts) and T1566.002 (Phishing: Spearphishing Link), which align with the observed intrusion pattern. - Apply any pending patches for the underlying web framework and ensure TLS 1.3 is enforced for all external connections. - Conduct a credential‑reuse audit; force password resets for any accounts that may have been reused on other services. - Monitor for suspicious outbound traffic from Salesforce APIs and implement strict IP allow‑lists.

Looking Ahead Watch for regulatory filings that may reveal the exact number of affected institutions and for any follow‑up disclosures from ShinyHunters regarding additional data dumps.