ShinyHunters Threatens May 8 Leak of 275 Million Canvas Users After 3.65 TB Breach

*TL;DR: ShinyHunters says it stole 3.65 TB of Canvas data covering 275 million users and will publish it on May 8 if Instructure or the affected schools do not negotiate.

Context On May 1, Instructure, the provider of the Canvas learning‑management system, announced a “cybersecurity incident” involving an unknown criminal actor. The company engaged third‑party investigators and law‑enforcement partners, and by May 2 reported that the breach was contained. The incident affected user‑identifying data—names, email addresses, student IDs—and internal messages, but no passwords or financial details were found.

Key Facts - ShinyHunters, a group known for large‑scale data theft, posted 3.65 TB of stolen files on its forum on May 3. The cache claims to contain information on 275 million individuals and “billions of private messages.” - Among the exposed records are 306 000 University of Pennsylvania affiliates, including email addresses, Penn IDs, and course enrollment data. - The group issued a final warning on May 5, giving institutions until May 7 to contact them privately to prevent a public dump. A follow‑up note on May 6 reiterated the May 8 deadline. - No ransom demand was disclosed in the latest communication, though the group previously claimed Penn refused a $1 million payment in a 2025 incident. - The breach appears to have leveraged compromised credentials to access Canvas APIs, a technique mapped to MITRE ATT&CK T1078 (Valid Accounts). The exact vulnerability remains unconfirmed, but the rapid exfiltration suggests inadequate segmentation of user data stores.

What It Means The scale of the leak threatens academic institutions, students, and staff with credential‑stuffing attacks, phishing campaigns, and social‑engineering scams. Exposure of student IDs and email addresses enables attackers to craft convincing spear‑phishing messages that bypass basic filters. The “billions of private messages” could contain personal contact information, increasing the risk of identity theft.

Mitigations - Reset credentials for all Canvas accounts and enforce multi‑factor authentication (MFA) where possible. MFA adds a second verification step, blocking attackers who have only stolen passwords. - Apply network segmentation to isolate learning‑management databases from other campus systems, limiting lateral movement. - Deploy detection signatures for abnormal API calls and large data transfers, referencing ATT&CK technique T1020 (Automated Exfiltration). - Monitor for credential‑stuffing by enabling account lockout thresholds and reviewing failed‑login logs. - Inform affected users promptly, providing guidance on phishing awareness and recommending password changes on any reused accounts. - Engage incident‑response teams and consider third‑party forensic analysis to identify the initial access vector and any lingering backdoors.

The next critical step is whether Instructure or any of the 9 000 listed institutions will negotiate with ShinyHunters before the May 8 deadline. Security teams should prepare for a wave of post‑leak exploitation attempts and tighten defenses accordingly.