ShinyHunters Leak 6.65TB of Canvas Data from 9,000 Schools, Ransom Demand Low

TL;DR ShinyHunters stole 6.65 TB of Canvas data from nearly 9,000 schools, exposing student names, emails and private messages, and demanded a low ransom after Instructure allegedly ignored contact attempts.

Context Canvas is a widely used learning management system with about 30 million active K‑12 and higher‑education users. On May 1 Instructure posted that it was investigating a cybersecurity incident. The next day its CISO confirmed that unauthorized access had exposed user names, email addresses, student IDs and messages. By May 6 the company declared the breach resolved and the platform fully operational.

Key Facts The hacking group ShinyHunters claimed to have exfiltrated roughly 6.65 terabytes of Canvas data linked to close to 9,000 schools worldwide. The stolen information included student names, email addresses and private messages between students, teachers and staff. ShinyHunters said Instructure had not contacted them to avoid the leak and described their ransom demand as "relatively low." On May 7 the group posted a note on affected schools’ Canvas login pages with a link to a list of about 1,400 institutions, then removed the messages later that day.

What It Means The exposure of personal data and internal communications raises risks of identity theft, phishing and targeted social engineering. Disruption was reported as students tried to access Canvas for final‑exam preparation, with some districts restricting access out of caution. Even though Instructure says the service is restored, the data may already be circulating in underground markets, and the low ransom suggests the attackers may have sought quick profit rather than prolonged negotiation.

Mitigations Security teams should: enforce multi‑factor authentication for all Canvas admin and user accounts; review and rotate any API keys or service accounts that could have been abused; monitor logs for unusual login locations or bulk data downloads (MITRE ATT&CK T1078 – Valid Accounts, T1041 – Exfiltration Over C2 Channel); apply the latest Instructure security advisories and patch any known vulnerabilities (check for CVEs related to Canvas integrations); implement data loss prevention rules to detect large outbound transfers of user‑identifiable information; and educate users about phishing attempts that may reference the breach.

What to watch next Observers should track whether the stolen Canvas data appears on dark‑web forums or is used in subsequent credential‑stuffing campaigns, and whether Instructure releases a detailed post‑incident report outlining the root cause and long‑term hardening steps.