Instructure Confirms Data Breach Following Claims by ShinyHunters Gang
Educational technology provider Instructure is investigating a data breach involving its Canvas learning management system after the ShinyHunters hacking group claimed to have stolen 3.6 terabytes of data from thousands of schools.
Instructure, the provider of the widely used Canvas learning management system, confirmed a cyber incident that disrupted its operations over the weekend of May 2, 2026. The company initially disclosed the breach on Friday night, prompting an immediate investigation into the scope of the unauthorized access The Record. By Saturday, Instructure’s Chief Information Security Officer, Steve Proud, confirmed that attackers successfully accessed user data from various educational institutions, including names, email addresses, student ID numbers, and internal user messages The Record.
The technical response to the breach involved a containment effort led by cybersecurity experts. According to Proud, the company revoked privileged credentials and access tokens and deployed security patches to mitigate the threat The Record. These remediation steps caused temporary disruptions to some tools used by customers. Instructure emphasized that the attackers did not obtain financial information, passwords, or government documents during the intrusion The Record.
The impact of the breach is significant, given the platform's widespread adoption by schools, universities, and businesses for course delivery and grading. On Sunday afternoon, the cybercriminal group known as ShinyHunters claimed responsibility for the attack The Record. The group alleged that they exfiltrated 3.6 terabytes of data, claiming the stolen information pertains to more than 9,000 schools The Record. Instructure has not provided a formal response to these specific claims regarding the volume of data stolen.
This incident marks the second time Instructure has been targeted by ShinyHunters, following a previous attack in September The Record. The group has been highly active over the past two years, frequently targeting data storage platforms for extortion. Their recent campaign has included high-profile breaches at companies such as ADT, McGraw Hill, and Rockstar The Record.
The attack on Instructure highlights a broader, concerning trend of threat actors targeting large third-party educational software providers to gain access to massive repositories of sensitive information. This follows a major 2025 breach at PowerSchool, where hackers exposed the records of 62 million students and 9.5 million teachers, including highly sensitive data like mental health details and disciplinary notes The Record. That incident resulted in significant legal fallout, including a $17.25 million settlement for the company’s alleged failure to implement adequate security measures, such as multifactor authentication The Record. As educational institutions increasingly rely on centralized platforms, they remain prime targets for data-focused extortion campaigns.