ShinyHunters Claims 275 Million User Records Stolen in Instructure Canvas Breach

TL;DR: ShinyHunters alleges it stole 275 million user records from Instructure’s Canvas platform, exposing names, emails, student IDs and private messages while claiming no passwords or financial data were taken. The claim, if verified, would affect roughly 9,000 schools worldwide.

Context: Instructure disclosed the breach on a Friday, confirming the next day that personal data had been accessed. The company said the exposed information includes names, email addresses, student ID numbers and messages between users, but explicitly stated that passwords, birth dates, government identifiers and financial data were not involved. As part of its response, Instructure applied patches, increased monitoring and rotated application keys, requiring customers to re‑authorize API access for new keys.

Instructure’s statement emphasized that the investigation is ongoing and that it is working with third‑party cybersecurity firms and law enforcement to determine the full scope. The firm noted that no evidence of misuse of the exposed data has been observed so far.

Key Facts: ShinyHunters posted on its leak site that the breach impacted about 9,000 schools globally and that approximately 275 million individuals’ data were stolen, including private messages. The group also claims to hold over 240 million records linked to students, teachers and staff from nearly 15,000 institutions across North America, Europe and East Asia/Oceania. Additionally, ShinyHunters alleges that Instructure’s Salesforce instance was compromised, a vector it has used in prior extortion campaigns against companies such as Google, AT&T and Air France‑KLM.

What It Means: If the allegations are accurate, the incident ranks among the largest education‑sector data exposures, potentially enabling phishing, credential stuffing and social‑engineering attacks against students and educators. The exposure of private messages could reveal sensitive academic or personal communications, increasing the risk of targeted extortion. The claimed Salesforce breach suggests attackers may have abused trusted cloud‑service integrations to move laterally within Instructure’s environment.

From a trust perspective, institutions relying on Canvas for course delivery and communication may face questions about data‑protection practices, which could affect adoption decisions and contract renewals. Regulatory bodies in jurisdictions with strict student‑privacy laws may scrutinize whether adequate safeguards were in place.

Mitigations: Organizations using Canvas should immediately rotate all API keys and re‑authorize third‑party applications, enforce multi‑factor authentication on admin accounts, and review Salesforce integration logs for anomalous activity. Defenders should apply the latest Instructure security patches, monitor for outbound data transfers to unfamiliar endpoints, and deploy detection rules for MITRE ATT&CK technique T1078 (Valid Accounts) and T1566.002 (Phishing: Spearphishing Link). Subscribing to threat‑intel feeds that track ShinyHunters leak‑site updates can help early detection of exposed credentials. Additionally, security teams should consider implementing data‑loss prevention rules that flag bulk exports of user‑message tables from Canvas databases.

What to watch next: Investigators will likely determine whether the breach resulted from a compromised Salesforce instance or another vector, and whether any ransom demand or extortion attempt follows the leak. Observers will also monitor for any official statements from Instructure regarding customer notification timelines and potential regulatory filings.