The ShinyHunters hacking group says they’ve stolen data on roughly 275 million students, teachers, and staff from Canvas — the learning platform behind 9,000 schools worldwide.
What Happened in the Canvas Data Breach?
Instructure, the company that owns Canvas, confirmed the cybersecurity incident on May 1, 2026. Two days later, the ShinyHunters hackers posted Instructure on their dark-web extortion site with a blunt threat: “PAY OR LEAK.”
The first sign of trouble came on April 30, when Instructure took Canvas Data 2 and Canvas Beta offline after disruption to tools relying on API keys (the technical credentials apps use to talk to each other). By May 1, CISO Steve Proud confirmed the company had been hit by “a cybersecurity incident perpetrated by a criminal threat actor,” and forensic experts (digital investigators specializing in tracing breaches) were brought in.
On May 2, Proud said the incident was contained. Instructure had revoked privileged credentials, deployed patches, rotated application keys, and ramped up monitoring. However, on May 3, the ShinyHunters group listed Instructure on their Tor-based extortion site. Canvas services were back online by May 4.
What Data Was Exposed?
There are two versions of this story, and they don’t quite line up.
What Instructure confirmed: names, email addresses (mostly institutional .edu accounts), student ID numbers, and messages sent through Canvas inbox. The company says it found no evidence that passwords, dates of birth, government identifiers, or financial information were touched.
What the ShinyHunters hackers claim: 3.65 TB of data, roughly 275 million people, 9,000 schools, and 15,000 institutions across North America, Europe, Asia, and Oceania. The group also says they broke into Instructure’s Salesforce environment. A ShinyHunters member told TechCrunch the unique email count is around 231 million.
A note of caution: financially motivated hacking groups regularly inflate numbers to pressure victims and grab headlines. There’s no independent way to verify the attackers’ figures yet.
Who’s on the List?
A list reviewed by security firm SOCRadar shows the scale of this Instructure data breach. It includes Ivy League names — Harvard, Stanford, MIT, Princeton, Yale — alongside huge K-12 districts like Clark County (Las Vegas) and Houston ISD. Some districts run their own branded portals — DPS Instructure Canvas (Denver Public Schools), for example — and these single-tenant deployments are part of the same affected platform.
Corporate tenants show up too: Amazon, Apple, Disney, Goldman Sachs, and Bloomberg all use Instructure for internal training, as do US agencies, including the Department of Defense and FEMA. The list spans all 50 US states and six continents.
Instructure’s Second ShinyHunters Hit in Eight Months
This isn’t the first time. In September 2025, Instructure disclosed a separate breach where attackers used social engineering against its Salesforce environment. That breach was part of a much larger campaign — attackers used vishing (voice phishing — phone-based scams that trick employees into approving things they shouldn’t) to convince staff at hundreds of companies to install a malicious “Data Loader” app, which drained their CRM data (customer relationship management — the systems companies use to track customers) at scale. The ShinyHunters hacker group claims that the operation netted 1.5 billion records from around 760 organizations.
Eight months later, Instructure is in the same spot. Two breaches, both involving Salesforce, both attributed to the same group. That’s not a coincidence — it’s a pattern the company hasn’t closed off.
Why ShinyHunters Hackers Keep Targeting Ed-tech
The ShinyHunters hacking group isn’t picking targets at random. They’ve been working through the education technology sector methodically for over a year:
- PowerSchool, December 2024 — 62 million students and 9.5 million teachers exposed.
- Infinite Campus, March 2026 — the K-12 student information system used by 11 million students across 46 US states, breached through its Salesforce integration.
- McGraw-Hill, April 2026 — 13.5 million unique email addresses confirmed leaked.
- Universities directly — University of Pennsylvania, Harvard, and Princeton all hit in late 2025.
Why edtech? Student data is a long-tail goldmine. Mix a real name with a .edu email and a student ID, and you have everything you need to run convincing phishing attacks for years. .edu addresses also unlock student perks (Amazon Prime Student, GitHub Education, software discounts) that get resold on underground markets. And students tend to be less security-trained than corporate employees, so the success rate on follow-up scams is higher.
What Should You Do If Your School Uses Canvas?
The biggest risk from this Canvas data breach is phishing. Attackers now have names, .edu emails, student IDs, and the context of real Canvas conversations. Scams hitting your inbox over the next few weeks won’t look like the usual junk — they’ll look like an email from your TA or registrar, referencing real classes. The topics will push you to act fast: payment problems, account recovery, and urgent assignments. The rush is the scam.
Some practical steps:
- Treat any “Canvas” email as suspicious for the next several weeks. Open Canvas directly through your school’s portal — whether that’s a generic instructure.com URL or a custom one like DPS Instructure Canvas.
- Change your Canvas password and turn on two-factor authentication.
- Inside Canvas settings, check active sessions and sign out anything you don’t recognize.
- Review your OAuth-connected integrations (OAuth lets third-party apps access your account without your password) and remove anything you don’t use.
- If an email tells you to “re-authorize” something, don’t follow the link. Real re-authorization happens from inside Canvas.
The post ShinyHunters Hacking Group Hits Instructure: 275M Canvas Users Exposed appeared first on Memeburn.
