Instructure Confirms 3.65 TB Data Breach After ShinyHunters Claim

Context Instructure, the company behind Canvas, powers learning management for thousands of institutions worldwide. On April 30, the status page warned of limited API‑key disruptions, a precursor to a larger incident. The following day, Chief Information Security Officer Steve Proud emailed customers, confirming a criminal threat actor had breached the platform. By May 2, the hacking group ShinyHunters posted on a Tor forum that it had exfiltrated 3.65 TB of data.

Key Facts - The breach affected Canvas Data 2, Canvas Beta, and Canvas Test, all placed under maintenance. By May 4, Data 2 and Beta were restored; Test remained offline. - Exfiltrated data included names, email addresses, student IDs and user messages. No passwords, dates of birth, government IDs or financial records were found. - The University of Massachusetts Amherst labeled the event a “vendor‑driven national event affecting multiple institutions,” underscoring the breadth of impact. - Service degradation persisted through early May, with users reporting slowness, page errors and document‑viewing failures. - Instructure engaged external forensics teams and posted regular updates on its status page, stating the breach was contained on May 2.

What It Means The breach highlights the risk of centralized education platforms becoming high‑value targets for cybercriminals. Exposure of student identifiers can facilitate phishing attacks and social engineering, even without password leaks. Institutions must assume that any compromised identifiers can be leveraged for credential‑stuffing attacks on other services where users may reuse passwords.

Mitigations – What Defenders Should Do 1. Rotate API keys – Immediately revoke and regenerate any Canvas API credentials used by integrations. 2. Enforce MFA – Require multi‑factor authentication for all staff and student accounts linked to Canvas. 3. Monitor for credential‑stuffing – Deploy detection rules for repeated login failures and anomalous access patterns, referencing MITRE ATT&CK technique T1110 (Brute Force). 4. Patch third‑party components – Verify that all Canvas plugins and extensions are updated to the latest versions; apply any CVE patches released by Instructure. 5. Conduct phishing simulations – Test user awareness of phishing attempts that may use exposed identifiers. 6. Review data retention – Limit storage of personally identifiable information to the minimum required for educational purposes. 7. Update incident response plans – Incorporate lessons from this breach, including rapid notification procedures and coordination with external forensics.

Looking Ahead Watch for Instructure’s final forensic report, potential regulatory actions in the UK and EU, and any new threat‑actor activity targeting education‑technology supply chains.