Major Data Breach at Instructure Exposes Personal Information of Millions of Students and Educators Worldwide

By Ashish S
Major Data Breach at Instructure Exposes Personal Information of Millions of Students and Educators Worldwide

In a significant cybersecurity incident that has sent ripples through the education sector, Instructure, the company behind the widely used Canvas learning management system, has confirmed a data breach affecting millions of users across thousands of educational institutions globally. The breach, attributed to the cyber extortion group ShinyHunters, highlights the growing vulnerabilities in cloud-based educational platforms that have become essential tools for teaching and learning.

Timeline of the Incident

The breach came to light in late April 2026 when Instructure first detected suspicious activity in its cloud-hosted environment. Service disruptions were reported by users on April 30, affecting tools integrated with Canvas, such as authentication services and related platforms. By early May, the company publicly acknowledged the incident and confirmed that unauthorized access had occurred.

Instructure stated that it detected the attacker on April 29, immediately revoked access, and took further steps on April 30 to address the underlying vulnerability. The company worked with external forensics experts and law enforcement while implementing enhanced security measures across its infrastructure. Despite these efforts, the threat actor had already exfiltrated substantial amounts of data.

Scale and Scope of the Breach

ShinyHunters claimed responsibility for the attack, alleging the theft of approximately 3.65 terabytes of data impacting nearly 9,000 schools, universities, and educational platforms worldwide. The group stated that the compromised records involve around 275 million individuals, including students, teachers, and staff members.

Affected institutions span K-12 districts and higher education entities across the United States, Australia, and other regions. Notable examples include universities such as the University of Pennsylvania, Rutgers, Baylor, and various public school systems in states like North Carolina. In Australia, providers in Queensland, Tasmania, and South Australia have also been impacted.

The attackers published a detailed list of affected institutions, showing varying record counts per organization, ranging from tens of thousands to several million depending on the size of the institution.

Data Compromised in the Breach

According to both Instructure and the threat actors, the exposed information includes:

  • Names of users
  • Email addresses
  • Student or institutional ID numbers
  • Private messages exchanged between students, teachers, and staff on the Canvas platform

Instructure has emphasized that there is no evidence of passwords, dates of birth, government identifiers, or financial information being accessed. However, the inclusion of billions of private messages raises serious concerns about the exposure of sensitive personal conversations, academic discussions, and potentially confidential details shared within the platform.

The Threat Actor: ShinyHunters

ShinyHunters is a well-known cyber extortion group with a history of targeting large organizations, including previous incidents involving universities and major corporations. In this case, the group issued a "pay or leak" ultimatum, initially setting a deadline around May 6, 2026. They have shared sample data to validate their claims and threatened to release the full dataset if their demands are not met.

The group reportedly accessed data through Canvas export features, APIs, and provisioning reports, allowing them to harvest large volumes of user records and messages.

Instructure's Response and Mitigation Efforts

Instructure has been transparent in its communications via its official status page. The company confirmed the incident was contained, rotated internal keys, restricted token creation, patched vulnerabilities, and increased monitoring. Canvas and related services have been restored for most users, though some maintenance and security enhancements may cause minor inconveniences.

Educational institutions using Canvas have begun notifying their communities. Affected organizations are advising users to remain vigilant against phishing attempts that could exploit the leaked information.

Implications for the Education Sector

This breach underscores the critical risks associated with supply-chain vulnerabilities in education technology. Canvas is used by a substantial portion of higher education institutions in North America and serves millions of users globally. As schools and universities increasingly rely on third-party cloud platforms, a single breach can have far-reaching consequences.

Potential risks for individuals include identity theft, targeted phishing campaigns, and privacy violations stemming from exposed personal messages. For institutions, the incident may lead to regulatory scrutiny, legal challenges, and loss of trust among students and faculty.

Recommendations for Users and Institutions

Students, educators, and staff who use Canvas should:

  • Monitor official communications from their schools for personalized notifications
  • Be cautious of unsolicited emails or messages referencing Canvas or academic details
  • Avoid reusing passwords across different services
  • Enable multi-factor authentication wherever possible
  • Review account activity for any suspicious behavior

Educational institutions are encouraged to review their data protection practices, enhance vendor security requirements, and prepare response plans for similar future incidents.

This event serves as a stark reminder of the evolving cyber threat landscape and the need for continuous investment in cybersecurity across the education technology ecosystem.

Ashish S
Ashish S
Ashish is a Cybersecurity Student with over 2 years of experience in Cybersecurity Research, Bug Bounty hunting and programming.