Instructure Canvas Breach Exposes Hundreds of Millions of User Records, ShinyHunters Claims

Context On April 30, Instructure reported service disruptions affecting Canvas tools that rely on API keys. By May 3, most functionality was restored after the company revoked privileged credentials and rotated application keys. The disruption impacted tools used by roughly 15,000 institutions worldwide. The company brought in external forensic experts and said it is working quickly to understand the breach’s extent and minimize its impact.

Key Facts ShinyHunters posted on its leak site that it stole between 240 million and 275 million records, totaling roughly 3.65 terabytes of data. The alleged dataset includes names, email addresses, student ID numbers, and user‑to‑user messages across thousands of institutions. Instructure stated that no passwords, dates of birth, government IDs, or financial data were exposed based on current findings. ShinyHunters has previously claimed large‑scale breaches involving Salesforce and other enterprise systems. The attack appears to have started with compromised API keys, a technique mapped to MITRE ATT&CK T1078 (Valid Accounts) and T1190 (Exploit Public‑Facing Application).

What It Means The breach highlights the risk of over‑privileged API credentials in widely used edtech platforms. Even without financial data, exposure of personal identifiers and private communications can enable phishing, identity‑theft, and reputational damage for institutions. The scale—potentially affecting hundreds of millions of users—makes this one of the largest education‑sector incidents reported. Regulators may scrutinize the incident under student‑data protection laws such as FERPA.

Mitigations Organizations using Canvas should immediately review and rotate any API keys or service accounts, enforce least‑privilege access, and enable multi‑factor authentication for admin accounts. Security teams should monitor for anomalous API usage patterns and implement detection rules for MITRE T1078 and T1190. Applying Instructure’s latest patches and reviewing third‑party integrations for excessive permissions are also recommended. Institutions should also review data retention policies to limit the amount of personal data stored in accessible environments. Finally, consider conducting a tabletop exercise focused on API‑key compromise scenarios.

What to watch next Investigators will verify the exact number of affected records and whether any additional data types were accessed; updates from Instructure and law‑enforcement notices will shape the next steps for affected schools and vendors.