ShinyHunters has listed Instructure on its data extortion site, claiming it stole records tied to 275 million students, teachers, and staff at nearly 9,000 schools worldwide.
Instructure, the U.S.-based company behind Canvas, a widely used learning management system, confirmed the breach Friday and engaged law enforcement. By Saturday, it acknowledged personal information was exposed: names, email addresses, student ID numbers, and messages among users.
The gang’s claims go further. It alleges the stolen dataset spans almost 15,000 institutions across North America, Europe, and Asia-Pacific, contains over 240 million records, and includes several billion private messages between students and teachers. ShinyHunters also claims it accessed Instructure’s Salesforce instance. Instructure says it hasn’t found evidence that passwords, dates of birth, government identifiers, or financial information were involved.
FERPA, the federal law protecting student educational records, governs how institutions must handle unauthorized disclosures; state breach notification statutes add independent notification timelines. Instructure says it’s working with third-party cybersecurity experts alongside law enforcement.
The company has deployed patches, increased monitoring, and rotated application keys. Customers must re-authorize API access before new keys take effect.
Instructure hasn’t confirmed whether ShinyHunters demanded payment or when the breach occurred. The gang says the exploited vulnerability is now patched. Formal breach notifications to affected institutions, and any law enforcement action against ShinyHunters, are the next steps on the clock.
James Okafor