Instructure Data Breach Exposes Hundreds of Millions of Records Across Thousands of Schools

Instructure, maker of the Canvas learning management system, disclosed a cybersecurity incident on Friday and updated the statement Saturday to confirm data exposure. The company is working with third‑party experts and law enforcement while the ShinyHunters extortion gang posted the stolen data on its leak site.

- Nearly 9,000 schools and 275 million individuals—students, teachers, and staff—had personal identifiable information exposed. - The breach included several billion private messages containing personal conversations and other sensitive details. - Instructure states there is no evidence that passwords, dates of birth, government identifiers, or financial information were accessed. - The threat actor alleges over 240 million records tied to users at almost 15,000 institutions in North America, Europe, and Asia‑Pacific. - ShinyHunters says the data was taken via a vulnerability in Instructure’s systems that has since been patched.

The incident highlights the value of educational platforms as targets for data theft and extortion. While core credentials appear safe, the scale of exposed identifiers and messages raises risks of phishing, social engineering, and identity‑theft campaigns. Institutions relying on Canvas should assume their user directories and communications may be compromised and monitor for misuse.

- Apply the latest patches released by Instructure for the exploited vulnerability (track via CVE‑2024‑XXXX if assigned). - Rotate all application keys and require customers to re‑authorize API access as Instructure has directed. - Enable heightened logging for authentication and message‑access events; look for MITRE ATT&CK technique T1078 (Valid Accounts) and T1190 (Exploit Public‑Facing Application). - Reset user passwords as a precaution, even though Instructure reports no password exposure, and enforce multi‑factor authentication where possible. - Review third‑party integrations, especially Salesforce connections mentioned by the threat actor, for unauthorized changes.