Instructure Confirms Data Breach as ShinyHunters Claims 275 Million Records Stolen From Canvas Platform

Instructure, the U.S.-based education technology company behind the Canvas learning management system, has confirmed that personal information belonging to users was exposed in a cyberattack, with the ShinyHunters extortion gang claiming responsibility and alleging one of the largest breaches ever recorded in the education sector.

The company first disclosed a cybersecurity incident on Friday. By Saturday, it had updated its statement to confirm that user data was involved.

"While we continue actively investigating, thus far, indications are that the information involved consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users," the company said in its updated statement.

Instructure added that it has found no evidence that passwords, dates of birth, government identifiers, or financial information were compromised. "If that changes, we will notify any impacted institutions," the statement read.

In response to the incident, Instructure said it deployed patches, increased monitoring, and rotated application keys. Customers are required to re-authorize access to Instructure's API in order to receive new application keys.

ShinyHunters, a well-known extortion group, has since listed Instructure on its data leak site, putting forward figures that far exceed what the company has confirmed. The group claims the breach affected nearly 9,000 schools worldwide and exposed data belonging to 275 million individuals — students, teachers, and other staff — along with "several billions of private messages."

ShinyHunters also claimed that Instructure's Salesforce instance was compromised as part of the attack.

The threat actor's listing further alleges the stolen records span more than 240 million entries tied to students, teachers, and staff, including names, email addresses, enrolled course information, and private messages. The alleged dataset reportedly covers institutions across North America, Europe, and the Asia-Pacific region, encompassing nearly 15,000 institutions in total.

ShinyHunters attributed the breach to a vulnerability in Instructure's systems, which it said has since been patched. Instructure has not publicly responded to the threat actor's specific claims.

Canvas is one of the most widely deployed learning management systems in the world, used by schools, universities, and organizations to manage coursework, assignments, and online learning — a reach that amplifies the potential scale of the exposure if the threat actor's figures are borne out.

The gap between Instructure's confirmed disclosure and ShinyHunters' claims is significant and has not been independently verified. The company has not commented on whether it is facing extortion demands or on the timeline of when the breach occurred.

The incident arrives amid a broader pattern of ShinyHunters targeting institutions with large user databases. The group has previously claimed attacks against Infinite Campus and other organizations, applying public pressure through data leak site listings to extract payments.

Instructure said it is working with third-party cybersecurity experts and law enforcement as the investigation continues, signaling that the full scope of the breach — and whether the threat actor's sweeping claims hold up — remains an open question.