ShinyHunters Claims 275 Million Canvas Users Exposed in Instructure Breach

TL;DR: Instructure disclosed a cyberattack on its Canvas learning management system that exposed personal data and messages. ShinyHunters claims responsibility for up to 275 million stolen records.

Context

On April 30, Instructure reported service disruptions tied to API key usage and began restoring access by May 3. The company confirmed that external forensic experts were engaged and that the attack had been contained, though investigations continue.

Key Facts

Instructure stated that names, email addresses, student IDs and user messages were accessed. It emphasized that passwords, dates of birth, government identifiers and financial data were not exposed based on current findings. ShinyHunters posted on its leak site that it stole between 240 million and 275 million records, totaling roughly 3.65 terabytes, affecting up to 15,000 institutions and nearly 9,000 schools worldwide.

What It Means

The breach highlights the value of educational platforms as targets for large‑scale data theft. Even without financial data, the exposure of private academic conversations and identifiers can enable phishing, identity theft and reputational harm for schools and students.

Mitigations

Organizations using Canvas should immediately rotate all API keys and revoke any compromised tokens. Enforce multi‑factor authentication for administrative accounts and review privileged access logs for anomalous activity. Deploy detection rules for unusual data exfiltration patterns, such as large outbound transfers to unfamiliar endpoints (MITRE ATT&CK T1041). Apply the latest security patches for Canvas and related integrations, and monitor vendor advisories for any CVEs related to the exploited vulnerability.

Watch for Instructure’s official breach report, any regulatory notifications, and further details from law‑enforcement investigations that may clarify the exact scope and attack vector.