ShinyHunters Breaches Instructure’s Canvas: 275 Million Student Records Stolen in Education’s Worst Data Catastrophe
Instructure confirmed a criminal cyberattack on Canvas LMS after ShinyHunters claimed responsibility for exfiltrating 3.65 TB of data from nearly 9,000 schools worldwide. The breach exposed names, email addresses, student IDs, and billions of private messages, triggering urgent questions about how a single SaaS platform can become the master key to the personal data of an entire generation of learners.
On April 30, 2026, engineers at Instructure, the company behind the Canvas learning management system, noticed something wrong with their API keys. What followed over the next week was a slow-motion confirmation of a catastrophe: a criminal threat actor had breached the platform used by more than 7,000 universities, K-12 districts, and education ministries across the globe. ShinyHunters, the extortion group behind high-profile hits on Ticketmaster and Snowflake customers, took credit. The alleged haul of 275 million records makes this one of the single largest education-sector data thefts ever recorded.
Instructure’s Canvas holds roughly 41% of the North American higher-education market. That concentration is exactly what makes it so attractive to attackers, and so dangerous when it fails. One breach, one exfiltration window, one unplugged credential, and the academic records, private messages, and institutional identities of an entire generation of students can land on a criminal leak site.
What Happened: A Supply-Chain Attack on Global Education
Canvas is not a single school’s system. It’s a multi-tenant cloud platform hosted on AWS that aggregates data across thousands of individually isolated institutional accounts, centralizing them for analytics, integrations, and API-driven services. That architecture is its commercial strength. It’s also its security liability.
Instructure detected the first signs of unauthorized access on April 30, escalating through a formal incident declaration by May 2. By May 3, ShinyHunters had posted claims on monitored leak sites, alleging exfiltration of 3.65 terabytes spanning approximately 275 million user records across close to 9,000 institutions. The data allegedly includes names, institutional email addresses, student ID numbers, and messages exchanged between users over the platform. No passwords, dates of birth, government identifiers, or financial information appear to have been involved, according to Instructure’s own investigation at the time of publication.
Context: ShinyHunters previously targeted Instructure in a separate breach in September 2025, reportedly via a third-party Salesforce integration. Two confirmed attacks in eight months. The May 2026 incident is the larger of the two by any available measure.
The scale is difficult to contextualize. At 275 million records, the alleged dataset is larger than the entire population of Brazil. The 3.65 terabytes of raw data represents not just identifying fields but conversation logs, the actual content of messages between students and instructors, which adds a dimension of personal exposure that no simple identity-fraud warning can address.
Instructure’s Incident Timeline
The containment window from detection to resolution spanned roughly six days. Whether the threat actor had access for days or weeks before the April 30 detection remains an open forensic question Instructure has not yet answered publicly.
Who Are ShinyHunters, and Why Does It Matter?
ShinyHunters has operated since 2019, building a reputation as one of the most prolific data-theft and extortion groups active today. Their model is straightforward: breach a high-value target, exfiltrate as much data as possible, then demand payment under threat of public release. Past victims include Ticketmaster, AT&T, and numerous Snowflake enterprise customers. In 2025, the group was reported to have merged operations with elements of Lapsus$, expanding its technical reach considerably.
“ShinyHunters… Threat Classification: Data Theft, Extortion, Database Monetization… Amount of Available Information: High.”
Jon DiMaggio, Threat Actor Analyst, Analyst1 — Analyst1 Threat Actor Profile, February 2026
The education sector is a particularly appealing target. Schools hold rich personal data on minors and young adults, including contact information, internal communications, and institutional identifiers that don’t change the way passwords do. Phishing campaigns built on this kind of dataset can be devastatingly precise: a message appearing to come from a student’s actual professor, referencing a real assignment, is far more convincing than a generic credential-harvesting attempt.
The group operates on a “pay or leak” extortion model, but Instructure’s public statements made no reference to any ransom demand or payment deadline. As of publication, no deadline confirmation from primary sources has been independently verified.
Why Canvas Is Such a High-Value Target: The Multi-Tenancy Problem
Canvas’s architecture concentrates risk in ways that a federated, institution-by-institution deployment model would not. The platform runs as a SaaS product on AWS multi-region infrastructure, including regions such as us-east-1 and eu-west-1, using API keys, OAuth, and SSO for integrations. Each institution’s data is logically isolated in separate tenant partitions, but the administrative and analytics layers, including products like Canvas Data 2, aggregate across tenants for reporting and integration purposes. That aggregation layer is where the exposure multiplies enormously.
Instructure’s response involved revoking credentials, rotating API keys, and patching unspecified vulnerabilities. The company did not publicly name the precise attack vector, so whether the breach entered through credential compromise, API misconfiguration, or a third-party integration remains officially unconfirmed. What is clear is that the platform’s privileged access layer, once breached, could reach data across thousands of institutions in a single exfiltration operation.
Technical note: Canvas stores user messages without end-to-end encryption in order to support search and moderation functionality. Any actor with sufficient API privileges can read message content in plain text, not just metadata. That’s a deliberate architectural trade-off, and one that massively amplifies the harm when access is compromised.
Security researchers have noted for years that edtech platforms lag behind enterprise software in zero-trust adoption. API keys are often long-lived, minimally scoped, and infrequently audited. In a world where multi-tenant SaaS platforms handle hundreds of millions of records, those gaps compound quickly into catastrophic exposure windows.
How the Instructure Breach Compares to Other Major Incidents
| Incident | Date | Records Affected | Data Type | Sector | Group Responsible |
|---|---|---|---|---|---|
| Instructure Canvas (May 2026) | Apr–May 2026 | ~275 million | Names, emails, IDs, messages | Education | ShinyHunters |
| National Public Data | Aug 2024 | ~2.9 billion | SSNs, addresses, names | Data broker | USDoD |
| Ticketmaster / Live Nation | May 2024 | ~560 million | Payment, contact, ticket info | Entertainment | ShinyHunters |
| Instructure Canvas (Sep 2025) | Sep 2025 | Undisclosed | Undisclosed (Salesforce integration) | Education | ShinyHunters (reported) |
| PowerSchool | Dec 2024 | ~60 million | Student and teacher records | Education (K-12) | Unknown |
The Canvas breach lands as the largest confirmed education-sector data exposure on record by volume of affected individuals. Its significance lies not just in scale but in the content dimension: unlike records-only breaches, the inclusion of private messages creates social-engineering ammunition that is qualitatively more dangerous than a name-and-email dataset alone.
Instructure’s Response: What CISO Steve Proud Said
Instructure’s formal public statement on May 6 came from CISO Steve Proud via the company’s incident status page. The statement was measured and carefully scoped, confirming the incident while stopping short of independently verifying ShinyHunters’ stated data volumes.
“While we continue actively investigating, thus far, indications are that the information involved consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users. At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved.”
Steve Proud, Chief Information Security Officer, Instructure — Instructure Status Page, May 6, 2026
The statement notably avoids confirming the number of affected institutions or individuals, describing the exposed data as “certain identifying information” rather than quantifying scope. Instructure also did not publicly confirm or deny the 9,000-institution figure ShinyHunters cited. The gap between the vendor’s scoped language and the attacker’s sweeping claims is itself a forensic question worth watching as the investigation develops.
Affected institutions are legally responsible for notifying impacted students and staff under frameworks like FERPA in the United States and GDPR in Europe. The burden of individual notification and regulatory compliance falls on the schools, not on Instructure directly, a structural asymmetry that critics argue under-incentivizes platform vendors to invest aggressively in breach prevention.
What Students, Teachers, and IT Teams Should Do Right Now
Rotate credentials
Change passwords for any account sharing credentials with your Canvas login. Enable multi-factor authentication on every account you can access.
Watch for phishing
Expect highly targeted emails appearing to come from real professors or classmates. Verify any unusual request via phone or in-person before acting on it.
Monitor Have I Been Pwned
Check haveibeenpwned.com for your institutional email. The dataset is not yet listed as of publication, but listings can appear weeks after a breach.
IT: Audit all API keys
Revoke all long-lived Canvas API tokens. Re-issue with minimum required scopes. Audit every third-party integration connected to your institution’s Canvas instance.
Universities operating under FERPA have independent notification obligations once they become aware of a breach affecting student educational records. Institutions should not wait for Instructure’s official notification before beginning their own incident response. Legal counsel familiar with FERPA breach obligations should be involved from day one.
Instructure Has a Posture Problem, Not a Luck Problem
Two ShinyHunters attacks in eight months is not a coincidence. The first breach, in September 2025, reportedly entered through a Salesforce integration, a third-party surface. The second, in April 2026, used API keys as the initial detection signal. Different vectors, same outcome. That pattern points not to an unlucky run of sophisticated attacks but to systemic gaps in how Instructure manages its external attack surface over time.
One anonymous security analyst writing for GBlock put it plainly: two breaches in eight months “is not a streak of bad luck. It is a posture problem.” That’s a harder verdict than Instructure’s measured containment language suggests, and it’s the kind of institutional accountability question that procurement officers at universities will be asking directly in the months ahead.
The repeat-target dynamic also raises questions about the security diligence frameworks universities apply when selecting and renewing LMS contracts. Canvas dominates with roughly 41% of the North American higher-ed market. When a platform is that entrenched, switching costs are enormous and competitive pressure to improve security posture weakens. That structural dynamic is as much a systemic risk as any individual vulnerability.
What the industry needs, and what this incident may accelerate, is a shift toward zero-trust architecture in edtech procurement standards: short-lived tokens, minimal API scopes, mandatory MFA at the integration layer, and third-party audits with real teeth. Whether Instructure’s customer base has the leverage to demand those changes is the real question this breach puts on the table.
People Also Ask
Was my school affected by the Instructure Canvas breach?
ShinyHunters claims the breach affected approximately 9,000 institutions globally. Not every Canvas customer is necessarily affected, and Instructure has not released a list of impacted schools. Check your school’s IT communications and monitor Instructure’s official status page for institution-specific guidance as it becomes available.
What data was stolen in the ShinyHunters Canvas hack?
According to Instructure’s official statement, the breach exposed names, institutional email addresses, student ID numbers, and messages between users. The company says there is no evidence that passwords, dates of birth, government identifiers, or financial information were involved. ShinyHunters claims 3.65 TB of total data exfiltration, a figure Instructure has neither confirmed nor denied.
How do I check if my student information was exposed?
Monitor Have I Been Pwned using your institutional email address. As of publication, the dataset has not yet appeared there, but that can change weeks after a breach. Regardless, change your Canvas-linked password, enable MFA on your account, and stay alert for targeted phishing emails referencing real course details or instructor names.
Has ShinyHunters issued a ransom deadline for Instructure?
No confirmed ransom demand or deadline has been verified from primary sources as of publication. Instructure’s CISO statement declared the incident resolved with no ongoing activity. ShinyHunters operates a “pay or leak” model, but there is no public confirmation that a demand was made, met, or refused in this case.
What should universities do right now about Canvas LMS security?
Immediately revoke all long-lived Canvas API tokens and re-issue with minimum required scopes. Enforce MFA across all administrative and integration accounts. Audit all third-party app integrations connected to your Canvas instance. Notify legal counsel of potential FERPA obligations. Brief faculty on the elevated phishing risk from message-content exposure, particularly for communications referencing specific students or assignments.