ShinyHunters Claims 275 Million Canvas Records Stolen in Instructure Breach

TL;DR: ShinyHunters alleges it exfiltrated about 275 million records from Instructure’s Canvas LMS, impacting roughly 8,800 schools and universities. Instructure confirmed a cyber incident in its cloud environment and is working with investigators.

Context: Instructure provides the Canvas learning management system used by K‑12 districts, colleges, and online education platforms worldwide. The company hosts many Canvas instances in its own cloud, making a breach of that environment potentially widespread.

Key Facts: ShinyHunters told BleepingComputer it stole approximately 275 million records tied to students, teachers, and staff. The group shared a list of 8,809 educational entities whose Canvas instances they claim were compromised, with per‑institution exposure ranging from tens of thousands to several million records. Instructure’s statement acknowledged a cyber incident and said it has engaged third‑party forensic experts to assess the scope.

What It Means: If the claim is accurate, the breach ranks among the largest education‑sector data exposures ever reported, potentially compromising personal identifiers, email addresses, and enrollment data. Affected institutions may face heightened phishing risk as attackers reuse authentic school details in social‑engineering lures.

Mitigations: - Institutions should force password resets for all Canvas accounts and enable multi‑factor authentication where supported. - Review audit logs for unusual authentication patterns, especially from unfamiliar IP addresses, and apply detection rules for MITRE ATT&CK T1078 (Valid Accounts) and T1059 (Command‑Line Interface). - Apply any patches or configuration advisories released by Instructure for its cloud Canvas service. - Monitor for credential dumping tools and consider deploying endpoint detection and response (EDR) solutions that flag LSASS access. - Communicate clearly with students, parents, and staff about the incident, providing guidance on recognizing phishing attempts and securing personal accounts.

Watch for Instructure’s official post‑mortem report and any updates from law‑enforcement or regulatory bodies regarding the validity of the 275‑million‑record claim.