Instructure: Instructure confirms data breach, ShinyHunters claims attack

Instructure Confirms Data Breach as ShinyHunters Claims Theft of 275 Million Records

U.S.-based edtech provider Instructure, the company behind the widely used Canvas learning management system, has confirmed a cyberattack resulting in the theft of user data. The ShinyHunters extortion group has claimed responsibility, listing Instructure on its data leak site and alleging the exposure of 275 million records tied to students, teachers, and staff across nearly 9,000 schools worldwide.

Instructure disclosed the incident on Friday, stating it was working with third-party cybersecurity experts and law enforcement to investigate. An update on Saturday revealed that personally identifiable information (PII) including names, email addresses, student ID numbers, and private user messages was compromised. The company stated that passwords, financial data, dates of birth, and government identifiers were not affected, though it would notify impacted institutions if new evidence emerged.

As part of its response, Instructure deployed patches, increased monitoring, and rotated application keys, requiring customers to re-authorize API access with new credentials. While the company has not confirmed the breach timeline or extortion demands, ShinyHunters claimed the attack exploited a now-patched vulnerability in Instructure’s systems.

The threat actor’s leak site alleges the stolen data includes 240 million records containing names, email addresses, enrolled courses, and private messages between students and teachers. The dataset reportedly spans 15,000 institutions across North America, Europe, and the Asia-Pacific region, with ShinyHunters also claiming access to Instructure’s Salesforce instance and additional undisclosed data.

BleepingComputer has not independently verified the full scope of the breach or the affected institutions. Instructure has not responded to requests for further details on the threat actor’s claims.

Source: https://www.bleepingcomputer.com/news/security/instructure-confirms-data-breach-shinyhunters-claims-attack/

Instructure cybersecurity rating report: https://www.rankiteo.com/company/instructure-inc-

"id": "INS1777847020",
"linkid": "instructure-inc-",
"type": "Breach",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': 'Students, teachers, and staff '
                                              'across nearly 9,000 schools '
                                              'worldwide',
                        'industry': 'EdTech',
                        'location': 'U.S.',
                        'name': 'Instructure',
                        'type': 'Company'}],
 'attack_vector': 'Vulnerability Exploitation',
 'customer_advisories': 'Notifications to impacted institutions if new '
                        'evidence emerges',
 'data_breach': {'data_exfiltration': 'Yes',
                 'number_of_records_exposed': '275 million',
                 'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High (PII)',
                 'type_of_data_compromised': ['Names',
                                              'Email addresses',
                                              'Student ID numbers',
                                              'Private user messages']},
 'date_publicly_disclosed': '2023-11-17',
 'description': 'U.S.-based edtech provider Instructure, the company behind '
                'the Canvas learning management system, confirmed a '
                'cyberattack resulting in the theft of user data. The '
                'ShinyHunters extortion group claimed responsibility, alleging '
                'the exposure of 275 million records tied to students, '
                'teachers, and staff across nearly 9,000 schools worldwide.',
 'impact': {'data_compromised': '275 million records',
            'identity_theft_risk': 'High (PII exposed)',
            'operational_impact': 'Required customers to re-authorize API '
                                  'access with new credentials',
            'payment_information_risk': 'None (financial data not affected)',
            'systems_affected': 'Canvas LMS, Salesforce instance'},
 'initial_access_broker': {'data_sold_on_dark_web': 'Alleged (ShinyHunters '
                                                    'leak site)'},
 'investigation_status': 'Ongoing',
 'motivation': 'Extortion',
 'post_incident_analysis': {'corrective_actions': 'Patches deployed, '
                                                  'application keys rotated, '
                                                  'enhanced monitoring',
                            'root_causes': 'Exploited vulnerability in '
                                           'Instructure’s systems'},
 'ransomware': {'data_exfiltration': 'Yes'},
 'references': [{'source': 'BleepingComputer'}],
 'response': {'communication_strategy': 'Public disclosure and notifications '
                                        'to impacted institutions',
              'containment_measures': 'Deployed patches, rotated application '
                                      'keys',
              'enhanced_monitoring': 'Yes',
              'incident_response_plan_activated': 'Yes',
              'law_enforcement_notified': 'Yes',
              'remediation_measures': 'Increased monitoring, required '
                                      're-authorization of API access',
              'third_party_assistance': 'Cybersecurity experts'},
 'threat_actor': 'ShinyHunters',
 'title': 'Instructure Data Breach by ShinyHunters',
 'type': 'Data Breach',
 'vulnerability_exploited': 'Now-patched vulnerability in Instructure’s '
                            'systems'}