ShinyHunters Claims 3.65 TB Canvas Breach, Issues Pay‑or‑Leak Ultimatum

Instructure, maker of the Canvas learning management system, said the breach was discovered on April 30 and appears contained. Canvas serves roughly 41 percent of North American higher‑education institutions and thousands of K‑12 districts. The stolen data includes names, email addresses, student ID numbers, and private messages exchanged inside the platform. Instructure said there is no evidence that passwords, dates of birth, government identifiers, or financial information were accessed.

- ShinyHunters claims the exfiltrated volume is 3.65 TB, equivalent to about 275 million records from students, teachers, and staff at nearly 9,000 institutions globally. - The group has issued a pay‑or‑leak ultimatum, threatening to publish the data unless its demands are met. - This incident follows a September 2025 intrusion in which ShinyHunters used social engineering to compromise Instructure’s Salesforce environment, marking the second attack on the same vendor within eight months.

The exposure of private messages raises the risk of highly targeted phishing that references real courses and conversations, increasing the likelihood of credential theft. Affected institutions must assess notification obligations under FERPA, COPPA, and roughly 130 state student‑privacy statutes, most of which place the burden on the school rather than the vendor.