ShinyHunters Allegedly Steals 275 Million Records from Instructure's Canvas Platform

TL;DR ShinyHunters claims to have exfiltrated 3.65 TB of data from Instructure’s Canvas LMS, affecting roughly 275 million users across nearly 9,000 schools. No passwords were taken, but names, emails, student IDs and private messages were exposed.

Context Instructure reported a service disruption on April 30 and confirmed a cybersecurity incident the next day. On May 1 the company said a criminal threat actor was responsible. By May 2 Instructure had patched systems, revoked credentials and rotated API keys. ShinyHunters posted the alleged stolen data on May 3, uploading 3.65 TB to its leak site.

Key Facts - The breach allegedly affects 275 million users at close to 9,000 educational institutions worldwide. - Exposed data includes names, email addresses, student IDs and private messages exchanged on Canvas. - Instructure confirmed that passwords and other authentication credentials were not stolen. - ShinyHunters also claims to have accessed Instructure’s Salesforce instance and billions of private messages. - The group has been linked to recent breaches at Panera Bread, ADT, Crunchyroll, Bumble and Rockstar Games.

What It Means The stolen personal details enable phishing and social‑engineering campaigns targeting students, teachers and staff. Attackers can use the data to craft convincing lures or attempt credential stuffing on other services. Defenders should treat the exposed information as a precursor to further intrusion attempts.

Mitigations - Rotate all API keys, service accounts and OAuth tokens associated with Canvas and any integrated Salesforce environments. - Enforce multi‑factor authentication for all administrative and user accounts. - Monitor for anomalous outbound data transfers (MITRE ATT&CK T1041) and unusual API call volumes. - Review and harden third‑party integrations, applying the principle of least privilege. - Deploy detection rules for known ShinyHunters TTPs, such as phishing (T1566) and abuse of valid accounts (T1078). - Educate users about increased phishing risk and encourage reporting of suspicious messages.

Watch for Instructure’s post‑mortem report, any regulatory notifications, and whether threat actors attempt to leverage the exposed data in follow‑on attacks.