ShinyHunters Leaks 3.65 TB from Instructure, Exposing 275 Million Education Users

Context Instructure, the provider of the Canvas learning management system, reported a service disruption on April 30. By May 1 the company confirmed a “cybersecurity incident” caused by a criminal threat actor. Instructure said it patched vulnerable components, revoked compromised credentials, rotated API keys and continued monitoring. The breach was largely contained by May 2.

Key Facts - On May 3 the hacker collective ShinyHunters posted 3.65 TB of stolen files to its public leak site. - The group asserts the leak covers 275 million accounts linked to about 9,000 educational institutions worldwide. - Instructure confirmed that passwords and other private credentials were not taken, but names, email addresses, student IDs, private messages and Salesforce data were extracted. - The stolen material includes billions of private messages exchanged between students and teachers, raising concerns about academic privacy. - ShinyHunters has a recent history of high‑profile breaches, targeting firms such as Panera Bread, ADT, Crunchyroll, Bumble and Rockstar Games since early 2024.

What It Means The scale of the data set—3.65 TB—suggests the attackers accessed multiple backend repositories, likely through compromised API tokens or mis‑configured cloud storage. The absence of password theft points to a focus on data exfiltration rather than credential reuse. However, the exposure of student IDs and email addresses enables phishing campaigns tailored to the education sector. The breach of Instructure’s Salesforce instance indicates that the threat actor moved laterally across internal services, a tactic catalogued as ATT&CK technique T1078 (Valid Accounts) followed by T1020 (Automated Exfiltration).

Mitigations – What Defenders Should Do 1. Rotate all API keys and access tokens on Canvas and any integrated SaaS platforms; enforce short lifetimes and least‑privilege scopes. 2. Audit cloud storage permissions for publicly accessible buckets; apply bucket‑level encryption and restrict access to specific service accounts. 3. Deploy detection signatures for abnormal data transfer volumes, especially outbound spikes exceeding typical LMS traffic. 4. Implement multi‑factor authentication (MFA) for all administrative accounts and require MFA for any third‑party integrations. 5. Conduct a credential‑reuse audit; force password changes for any accounts that may have been reused elsewhere. 6. Review Salesforce security settings, revoke unused connected apps, and enable event monitoring to spot anomalous queries. 7. Notify affected users promptly, provide guidance on phishing awareness, and offer optional two‑factor enrollment.

The incident underscores the need for continuous monitoring of API usage and strict cloud‑storage hygiene. Watch for Instructure’s forthcoming security advisory and any indication of further data releases by ShinyHunters.