VYPR
breachPublished May 3, 2026· Updated May 17, 2026· 2 sources

Instructure Confirms Data Breach Following ShinyHunters Extortion Claims

Education technology giant Instructure has confirmed a data breach involving the theft of user information, with the ShinyHunters extortion group claiming to have stolen 3.65 terabytes of data from millions of students and faculty.

Instructure, the Salt Lake City-based education technology firm behind the widely used Canvas learning management system, has confirmed a significant data breach following a cyberattack that disrupted its services. The company first disclosed the incident on April 30, noting that the attack caused widespread issues for tools relying on API keys. By May 3, the company had restored access to its Canvas Data 2 platform and confirmed that user data had been exfiltrated SecurityWeek BleepingComputer.

The attack involved unauthorized access to sensitive user information, including names, email addresses, student ID numbers, and private user messages. Instructure stated that, based on their ongoing investigation, there is currently no evidence that passwords, dates of birth, government identifiers, or financial information were compromised SecurityWeek BleepingComputer. The attackers reportedly gained entry through a vulnerability in the company's systems, which Instructure has since patched BleepingComputer.

The impact of the breach is potentially massive, though the full scope remains under investigation. The notorious extortion group ShinyHunters has claimed responsibility for the attack, listing Instructure on its Tor-based leak site. The threat actor alleges that they stole 3.65 terabytes of data, claiming the breach affects approximately 275 million individuals—including students, teachers, and staff—across nearly 9,000 educational institutions worldwide SecurityWeek. ShinyHunters further claims that the stolen data includes billions of private messages and that the company’s Salesforce instance was also compromised BleepingComputer.

In response to the intrusion, Instructure has engaged third-party forensics experts and is working with law enforcement. To secure its environment, the company revoked privileged credentials and access tokens, deployed security patches, and implemented enhanced monitoring. As a precautionary measure, Instructure required all users to reauthorize access to its API to facilitate the issuance of new application keys SecurityWeek BleepingComputer.

While Instructure has not confirmed the specific number of affected institutions or the validity of the threat actor's claims, the incident highlights the persistent risk to large-scale educational platforms. The breach serves as a stark reminder of the supply chain and data aggregation risks inherent in modern edtech, where a single point of failure can expose millions of users across thousands of global institutions. Security teams should continue to monitor for further disclosures as the investigation proceeds and the threat actor's claims are verified BleepingComputer.

Synthesized by Vypr AI