Instructure confirms Canvas breach; ShinyHunters claims 275M records taken

Instructure, the company behind the Canvas learning management system, has confirmed a cyberattack that exposed user data across its customer institutions. The company says the stolen information so far includes names, email addresses, student ID numbers, and messages between users, but states that passwords, dates of birth, government IDs, and financial data do not appear to be involved. In response, Instructure has applied patches, expanded monitoring, and rotated application keys, forcing customers to re-authorize API access.

The ShinyHunters extortion crew has taken credit on its leak site, claiming the haul covers roughly 9,000 schools and 275 million individuals, with over 240 million records spanning students, teachers, and staff across nearly 15,000 institutions in North America, Europe, and Asia-Pacific. The group also alleges it pulled billions of private messages and breached Instructure’s Salesforce instance, attributing the intrusion to a now-patched vulnerability.

The scale claimed by the attackers is far larger than what Instructure has acknowledged, and the discrepancy is unverified. The Salesforce angle fits a broader ShinyHunters pattern of pivoting through SaaS integrations, suggesting the blast radius for downstream institutions may extend beyond the Canvas platform itself.