Edtech firm Instructure confirmed over the weekend that a criminal threat actor stole user data from its systems. The ShinyHunters group has claimed responsibility and is alleging it exfiltrated 3.65 terabytes of records belonging to roughly 275 million students, teachers, and staff across nearly 9,000 institutions worldwide.
The ShinyHunters group has set a May 6 deadline for Instructure to negotiate before publishing the data, according to multiple researchers monitoring the leak site.
Instructure, the Salt Lake City–based company behind the Canvas learning management system, disclosed the incident in a May 1 status update from Chief Information Security Officer Steve Proud.
“We are working quickly to understand the extent of the incident and actively taking steps to minimize its impact. Maintaining your trust is our highest priority, and we are committed to transparency throughout this process,” according to a statement by Proud.
The company said it had retained outside forensics experts and was working to contain the impact. By May 2, Proud reported the incident had been contained and that the company had revoked privileged credentials, rotated application keys, and deployed patches across affected systems.
In a follow-up update, Instructure said the exposed data appears to include names, email addresses, student ID numbers, and messages exchanged among users. The company stated that it has found no evidence that passwords, dates of birth, government identifiers, or financial information were accessed, but committed to notifying impacted institutions if that changes.
UMass Amherst IT, in a May 3 service update crediting Instructure communications to Canvas customers, said the incident was a “vendor-driven national event” affecting multiple institutions and that UMass had not been notified whether its campus was directly impacted. The university said Instructure’s response may disrupt some Canvas users because application keys were reissued, requiring some users to reauthorize tools or content. UMass also said Canvas Data 2, Canvas Beta and Canvas Test remained under maintenance, while some tools relying on API keys could experience limited disruption.
The disruption also shows how OAuth and application-level trust can turn a vendor breach into an operational problem for customers. Canvas integrations often rely on OAuth2 developer keys, access tokens and LTI connections to let third-party tools work inside the LMS without collecting user passwords — the same trust model Security Point Break recently examined in its coverage of OAuth risk and AI-driven application sprawl.
ShinyHunters listed Instructure on its Tor-based leak site on May 3, claiming the haul includes billions of private messages between students, teachers, and staff, along with data exfiltrated from Instructure’s Salesforce environment. The group has set a May 6 deadline for Instructure to negotiate before publishing the data, according to multiple researchers monitoring the leak site.
Canvas serves more than 7,000 universities, K-12 districts, and education ministries globally, making it one of the most widely deployed learning platforms in the United States. Instructure has not yet publicly confirmed the threat actor’s identity or the size of the breach, and has not responded to requests for comment from multiple outlets including BleepingComputer and SecurityWeek.
The disclosure marks the second Instructure breach tied to ShinyHunters in less than a year. In September 2025, the company disclosed a separate intrusion stemming from a social engineering attack against its Salesforce instance, which ShinyHunters also claimed.
At the time, Instructure characterized the exposed records as “largely publicly available business information.” The May 2026 incident, by contrast, involves student- and teacher-level data subject to FERPA, the FTC’s updated COPPA rule that took effect April 22, 2026, and roughly 130 state student privacy statutes including New York Education Law 2-d and California’s SOPIPA.
ShinyHunters has spent the last 18 months running a sustained campaign against Salesforce-connected enterprises, with claimed victims including Google, AT&T, Air France-KLM, Adobe, McGraw-Hill, Carnival, Canada Life, and edtech competitor Infinite Campus. The group’s January 2025 attack on PowerSchool, which exposed records on roughly 62 million students, ultimately produced a $17.25 million settlement and class action litigation across 11 states.
Affected institutions face a compressed notification window. Most state breach notification laws require disclosure within 30 to 90 days of confirmation, and FERPA’s “school official” exception places the legal notification obligation on schools rather than on Instructure itself. Universities and districts using Canvas should review third-party integrations, audit Salesforce-connected workflows, and prepare to issue notices pending the outcome of the forensic investigation.
Photo by Mira Kireeva on Unsplash
