VYPR
breachPublished May 5, 2026· Updated May 17, 2026· 1 source

ShinyHunters Claims Massive Data Theft from Instructure’s Canvas Platform

The ShinyHunters extortion group claims to have stolen 280 million records from Instructure, the provider of the Canvas learning management system, affecting thousands of educational institutions worldwide.

The ShinyHunters extortion gang has claimed responsibility for a massive data breach at Instructure, the parent company of the widely used Canvas learning management system. The threat actors allege they have exfiltrated 280 million records belonging to students, teachers, and staff across 8,809 colleges, school districts, and online education platforms BleepingComputer.

According to the attackers, the breach was facilitated by abusing legitimate Canvas data export features. The group claims to have harvested hundreds of gigabytes of sensitive information by leveraging Data Access Platform (DAP) queries, provisioning reports, and user APIs BleepingComputer. The stolen data reportedly includes names, email addresses, and the contents of private messages sent within the platform.

The impact of this incident is potentially vast, with the threat actors providing a list of over 8,800 affected institutions, each with record counts ranging from tens of thousands to several million BleepingComputer. While Instructure has confirmed it is investigating a cyberattack, the company has not provided detailed public disclosures regarding the scope of the exposure or the specific methods used by the attackers BleepingComputer.

Educational institutions are currently reacting to the uncertainty surrounding the breach. The University of Colorado Boulder has publicly acknowledged the event as a "nationwide" issue, while other organizations, such as Rutgers and Tilburg University, have issued statements noting that they are awaiting further clarification from the vendor to determine if their specific user data was compromised BleepingComputer.

As of now, Instructure has not responded to repeated requests for comment regarding the incident BleepingComputer. The lack of transparency from the vendor has left many affected schools and universities in a position of uncertainty, forcing them to conduct their own internal assessments to gauge potential risks to their student and faculty populations.

This incident highlights the significant security risks associated with centralized cloud-based educational platforms, which aggregate massive amounts of sensitive data. The abuse of built-in administrative and reporting features—often referred to as "living off the land" in a cloud context—remains a persistent challenge for organizations relying on third-party SaaS providers. Security researchers and IT administrators will likely be watching for further details on how these specific APIs were secured and whether additional authentication controls are implemented in the wake of this disclosure BleepingComputer.

Synthesized by Vypr AI
ShinyHunters Claims Massive Data Theft from Instructure’s Canvas Platform · VYPR