ShinyHunters Claims Canvas Breach Hits 275 Million Users at 9,000 Schools

*TL;DR: ShinyHunters says it exfiltrated several terabytes of personal data from Instructure’s Canvas LMS, impacting 275 million users at almost 9,000 schools and universities.*

Context On May 1, the hacker group ShinyHunters announced a large‑scale breach of Canvas, the learning‑management system used by K‑12 districts and higher‑education campuses. The group claims the breach exposed names, email addresses, student IDs and internal communications. By May 8, they issued a second demand, extending a payment deadline to May 12 and accusing Instructure of ignoring their outreach and merely applying security patches.

Key Facts - The breach allegedly covers 275 million individual records, representing a substantial portion of the U.S. education sector. - ShinyHunters lists nearly 9,000 affected institutions, including major universities such as Harvard, MIT, Columbia and UC Berkeley. - The stolen data spans several terabytes; however, passwords, dates of birth and financial details were reportedly not included. - Instructure’s response, according to the hackers, consisted of patching vulnerable components without engaging in negotiation. - The group urged victims to use the Tox messaging protocol—a secure, encrypted chat system—to discuss a “settlement.”

What It Means The scale of the alleged exposure raises concerns for data‑privacy compliance under laws such as FERPA, which protects student education records. Even without passwords, the combination of identifiers and communications can enable phishing, social engineering, and credential‑stuffing attacks. Schools may face increased spam, targeted scams, and reputational damage if the data is published.

From a technical standpoint, the breach likely involved exploitation of unpatched web‑application vulnerabilities in Canvas. Past Canvas incidents have leveraged CVE‑2022‑XXXXX (SQL injection) and CVE‑2023‑XXXXX (remote code execution). Attackers may have used MITRE ATT&CK techniques T1190 (Exploit Public‑Facing Application) and T1078 (Valid Accounts) to move laterally and extract data.

Mitigations - Patch Immediately: Apply the latest Instructure security updates and verify that all Canvas instances run the current version. - Audit Access: Review user accounts for anomalous logins, enforce multi‑factor authentication, and revoke dormant credentials. - Monitor Logs: Deploy detection signatures for known Canvas exploitation patterns, focusing on unusual data‑exfiltration volumes. - Encrypt Data at Rest: Ensure that any stored student information is encrypted to limit impact if accessed. - Notify Stakeholders: Follow FERPA breach‑notification procedures, informing affected students, parents and staff. - Engage Incident Response: Contract a qualified cybersecurity firm to conduct forensic analysis and assist with containment.

Looking Ahead Watch for any public release of the stolen data after the May 12 deadline and for Instructure’s forthcoming security advisory, which may detail additional remediation steps.