Instructure Restores Canvas After ShinyHunters Claims 3.65 TB Education Data Theft

*TL;DR: Instructure restored Canvas services after a cyberattack that exposed personal data of millions; the ShinyHunters extortion group claims to have exfiltrated 3.65 TB covering 275 million individuals.

Context Instructure, the Utah‑based provider of the Canvas learning platform, faced a weekend‑long outage that disrupted API‑driven tools used by thousands of schools. The breach was disclosed on April 30, and by May 3 the company had re‑enabled access to its Canvas Data 2 service.

Key Facts - Attackers compromised API keys, forcing Instructure to revoke and re‑issue application credentials on May 2. - Forensic investigators were engaged on May 1; the firm says no passwords, dates of birth, government IDs or financial data were taken. - Exfiltrated records include names, email addresses, student identification numbers and user messages. - ShinyHunters, a known extortion group, posted the stolen data on a Tor site, claiming 3.65 TB of information from roughly 9,000 institutions and 275 million students, teachers and staff. The group also alleges access to Instructure’s Salesforce CRM. - Instructure has not identified the threat actor or disclosed the exact number of affected institutions.

What It Means The breach highlights the risk of over‑privileged API tokens in education technology stacks. Re‑issuing keys and revoking privileged credentials limited further data loss, but the volume of information claimed by ShinyHunters suggests a prolonged exfiltration period. Institutions using Canvas must assume that personal identifiers are now searchable by malicious actors, increasing the likelihood of phishing or credential‑stuffing attacks.

Mitigations – What Defenders Should Do 1. Rotate all API keys and OAuth tokens linked to Canvas and associated services; enforce least‑privilege scopes. 2. Deploy multi‑factor authentication for all privileged accounts, especially those with access to student data. 3. Monitor for anomalous data transfers using DLP (Data Loss Prevention) tools that can flag large outbound flows matching the 3.65 TB volume. 4. Apply any patches released by Instructure and verify that CVE‑2023‑XXXXX (hypothetical vulnerability in the Canvas API) is mitigated. 5. Conduct credential‑reuse checks against exposed emails and IDs; force password resets where reuse is detected. 6. Review Salesforce security settings, revoke unused tokens, and enable login alerts for suspicious IPs. 7. Update incident response playbooks to include API‑key compromise scenarios and integrate MITRE ATT&CK technique T1078 (Valid Accounts) detection signatures.

Looking Ahead Watch for further disclosures from Instructure on the scope of the Salesforce breach and any law‑enforcement actions against ShinyHunters. Organizations should prepare for potential follow‑up phishing campaigns targeting the newly exposed identifiers.