ShinyHunters Breaches Instructure in Massive Educational Data Theft
The cybercriminal group ShinyHunters has carried out one of the largest educational data breaches to date, targeting Instructure, the provider of the Canvas learning management system. The attack, detected on April 29, exploited a vulnerability in Canvas Free for Teacher, a service used by 8,809 institutions worldwide, including K–12 schools and higher education organizations.
Instructure responded on May 2 by revoking compromised credentials, deploying security patches, and rotating encryption keys. However, a second wave of activity occurred on May 7, with users reporting extortion messages upon logging in. ShinyHunters claims to have exfiltrated 6.65 terabytes of data, including 275 million records containing names, email addresses, student ID numbers, and private communications between students, teachers, and staff. Instructure’s CISO, Steve Proud, confirmed that no passwords, financial details, or government identifiers were compromised.
The group has set a May 12 deadline to negotiate a settlement, threatening to leak the stolen data if demands are not met. The breach underscores the growing targeting of educational institutions by cybercriminals seeking sensitive student and faculty information.
Instructure cybersecurity rating report: https://www.rankiteo.com/company/instructure-inc-
"id": "INS1778605156",
"linkid": "instructure-inc-",
"type": "Breach",
"date": "4/2026",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '8,809 institutions',
'industry': 'Educational Technology',
'name': 'Instructure',
'type': 'Company'}],
'attack_vector': 'Vulnerability Exploitation',
'customer_advisories': 'Extortion messages reported by users on May 7',
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': '275 million',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Names',
'Email addresses',
'Student ID numbers',
'Private communications']},
'date_detected': '2024-04-29',
'date_publicly_disclosed': '2024-05-02',
'description': 'The cybercriminal group ShinyHunters targeted Instructure, '
'the provider of the Canvas learning management system, '
'exploiting a vulnerability in Canvas Free for Teacher. The '
'breach affected 8,809 institutions worldwide, including K–12 '
'schools and higher education organizations. ShinyHunters '
'exfiltrated 6.65 terabytes of data, including 275 million '
'records with names, email addresses, student ID numbers, and '
'private communications. The group demanded a settlement by '
'May 12, threatening to leak the data if demands were not met.',
'impact': {'brand_reputation_impact': 'High',
'data_compromised': '6.65 terabytes',
'identity_theft_risk': 'High',
'payment_information_risk': 'None',
'systems_affected': 'Canvas Free for Teacher'},
'initial_access_broker': {'entry_point': 'Canvas Free for Teacher '
'vulnerability'},
'investigation_status': 'Ongoing',
'motivation': 'Extortion',
'post_incident_analysis': {'corrective_actions': 'Security patches, '
'encryption key rotation',
'root_causes': 'Vulnerability in Canvas Free for '
'Teacher'},
'ransomware': {'data_encryption': 'No',
'data_exfiltration': 'Yes',
'ransom_demanded': 'Settlement negotiation'},
'references': [{'source': 'Cyber Incident Description'}],
'response': {'communication_strategy': 'Public disclosure on May 2',
'containment_measures': 'Revoked compromised credentials, '
'deployed security patches, rotated '
'encryption keys',
'incident_response_plan_activated': 'Yes',
'remediation_measures': 'Security patches, encryption key '
'rotation'},
'threat_actor': 'ShinyHunters',
'title': 'ShinyHunters Breaches Instructure in Massive Educational Data Theft',
'type': 'Data Breach',
'vulnerability_exploited': 'Canvas Free for Teacher service vulnerability'}