ShinyHunters Threatens to Leak 275 Million Users' Data After Canvas Breach

On May 3, ShinyHunters claimed responsibility for breaching Instructure, the parent company of Canvas. The breach exposed personal data of 306,000 University of Pennsylvania users, including emails, names, Penn ID numbers, and course enrollments. The group also says it holds billions of private messages among students, teachers, and staff that may contain phone numbers and home addresses. Instructure confirmed on May 1 that it was investigating a cybersecurity incident and said on May 2 the incident had been contained, noting no evidence of compromised passwords, birth dates, government IDs, or financial data.

- ShinyHunters published the 3.65 TB cache on its forum on May 3, stating it contains data from 275 million individuals and several billion private messages. - The group’s message set a deadline of May 8 for contact, warning that otherwise the data will be released. - On May 5, ShinyHunters posted a list of nearly 9,000 affected institutions, including all eight Ivy League universities, and offered schools a chance to contact them privately to prevent leakage. - The spokesperson told The Daily Pennsylvanian that no university or Instructure has reached out yet, and they remain waiting for contact before the May 8 deadline. - This is not the first time ShinyHunters targeted Penn; in fall 2025 the group leaked internal files after Penn refused a $1 million ransom demand.

If the data is released, affected individuals could face phishing, identity theft, or doxxing from exposed emails, IDs, and messages. Institutions may suffer reputational harm and increased scrutiny of their vendor security practices. The breach highlights risks associated with third‑party learning platforms and the need for robust contract‑level security clauses.

Organizations using Canvas should: 1. Force password resets and enable multi‑factor authentication for all accounts. 2. Review Canvas audit logs for login attempts outside normal business hours. 3. Block IP addresses linked to ShinyHunters’ forum and update firewalls. 4. Apply the latest Instructure security patches and monitor for advisories. 5. Deploy detection rules for outbound traffic exceeding one gigabyte per host and for known credential‑dumping tools. 6. Notify potentially affected users and offer credit‑monitoring or identity‑theft protection services.