Schools and universities rely on centralized digital platforms to store student names, email addresses, IDs, and private communications. When attackers gain unauthorized access to such systems, copy sensitive data, and threaten to expose it unless a ransom is paid, it becomes a serious data breach. In this case, the hacker group ShinyHunters targeted Instructure, the company behind Canvas LMS — a platform used by millions of students and educators worldwide — extracting personal information and private messages to use as leverage for extortion.
Introduction
On April 30, 2026, Instructure's status page quietly flagged "disruptions to tools relying on API keys." Within 24 hours, what looked like a routine outage had become one of the most significant education-sector data breaches in recent memory. The cyberattack was blamed for service disruptions, and by May 1 the company confirmed that cybercriminals were responsible, retaining outside forensics experts to investigate. Three days later, the extortion gang ShinyHunters dropped a listing on its Tor-based leak site with a chilling claim: 3.65 terabytes of data stolen from the personal records of 275 million students, teachers, and other individuals across close to 9,000 educational institutions worldwide.
What makes this breach especially alarming isn't just its scale — it's that this is the second confirmed intrusion at Instructure in less than eight months, and the same threat actor appears responsible for both. For security professionals responsible for edtech environments, this incident is a case study in credential compromise, third-party integration risk, and the consequences of incomplete post-incident remediation. This post breaks down exactly what happened, how ShinyHunters operates, and what your organization should do now.
What Was Stolen and What Instructure Confirmed
Confirmed Data Exposure
Instructure confirmed that the personal information of users was exposed, with indications that the information involved includes certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users.
Critically, Instructure stated it found no evidence that passwords, dates of birth, government identifiers, or financial information were involved — a meaningful distinction, but one that offers limited comfort given the volume and nature of what was taken.
The confirmed data classes map directly to high-value social engineering fodder:
| Data Type | Confirmed Exposed | Risk Level | Likely Abuse Vector |
|---|---|---|---|
| Full names | Yes | Medium | Phishing, impersonation |
| School email addresses | Yes | High | Spear phishing, credential stuffing |
| Student ID numbers | Yes | High | Identity fraud, account takeover |
| Private user messages | Yes | Critical | Social engineering, extortion |
| Passwords / financial data | Not confirmed | — | — |
| Salesforce instance data | Claimed by ShinyHunters | Under investigation | CRM data, contact lists |
What ShinyHunters Claims
ShinyHunters went significantly further than what Instructure confirmed. The group claims to hold over 240 million records tied to students, teachers, and staff spanning almost 15,000 institutions across North America, Europe, and East Asia/Oceania, and alleges it obtained several billion private messages exchanged within the platform. The group also warned: "Your Salesforce instance was also breached. Pay or Leak," setting a deadline of May 6 for Instructure to make contact.
Important: ShinyHunters has not yet released a data sample to verify these figures independently. However, Cybernews researchers noted that given Canvas's scale, the numbers are plausible. BleepingComputer and SecurityWeek have both been unable to independently confirm the full scope. Treat ShinyHunters' figures as a ceiling, not a floor — but don't use the uncertainty as a reason to delay your own institutional response.
Who Is ShinyHunters and Why Education Is Their New Target
The Group's Operational Profile
ShinyHunters is not a new name in threat intelligence circles. The gang built its name by stealing and selling data on dark web forums, and in 2025, it pivoted to vishing campaigns targeting enterprise Salesforce environments. Security researchers tie the group to a broader supergroup alongside Scattered Spider and LAPSUS$, all sharing overlapping members and roots in the youth cybercrime subculture known as "The Com."
Their recent victim list reads like a who's-who of high-value targets: ShinyHunters has been responsible for a wide range of high-profile data theft operations, previously targeting companies including Google, AT&T, and Air France-KLM via Salesforce environments. In September 2025, the group claimed to have stolen 1.5 billion Salesforce records from 760 companies.
More recently, the group also listed Red Hat on its leak site, with security researchers describing the group's platform as functioning like extortion-as-a-service.
Why Education Platforms Are High-Value Targets
The education sector has become a preferred hunting ground for financially motivated threat actors for reasons that go beyond data volume:
- Aggregated PII at scale: Canvas serves tens of millions of users globally. One API compromise yields identity-grade data on students across thousands of institutions.
- Weak MFA adoption: Administrative and faculty accounts in K-12 and higher education frequently lack enforced multi-factor authentication.
- Rich private communications: Learning management systems store private student-teacher messages, academic records, and behavioral data that create powerful leverage for extortion.
- Regulatory complexity: FERPA, COPPA, GDPR, and dozens of state-level student privacy laws create a compliance minefield that makes institutions hesitant to disclose fully — a dynamic threat actors exploit.
- Third-party integration sprawl: Canvas integrates with hundreds of third-party tools via API keys. Each integration is a potential lateral movement path.
Pro Tip: Map your Canvas API integrations quarterly. Identify which third-party tools have read access to student PII, and revoke any tokens tied to dormant or decommissioned applications. The blast radius of a breach shrinks dramatically when integration hygiene is maintained.
This Is Instructure's Second Breach in Eight Months
Perhaps the most operationally significant detail in this incident is its precedent. This weekend represents the second time in less than a year that Instructure was attacked by ShinyHunters. The company's systems were breached in September 2025, with the company at the time saying the incident was largely confined to publicly available business information being exposed. The extortion group claimed credit for that attack, saying it used social engineering tactics to get into Instructure's Salesforce instance.
The methodology described in the May 2026 incident — revoked privileged credentials, rotated application keys, deployed patches — reads like a credential or token compromise rather than a Salesforce-style social engineering routing. The company has not said whether the access path is connected to the September 2025 breach or is independent.
What does two breaches in eight months by the same threat actor tell a security professional? It tells you that post-incident remediation was likely incomplete. Rotating credentials and patching the known vulnerability addresses the immediate vector — it doesn't address whether the attacker retained persistence, seeded additional access paths, or performed reconnaissance during initial dwell time.
MITRE ATT&CK Mapping of the Likely Attack Chain
| ATT&CK Technique | ID | Description in Context |
|---|---|---|
| Phishing / Vishing | T1566 / T1598 | Social engineering used in September 2025 Salesforce intrusion |
| Valid Accounts (compromised credentials) | T1078 | API keys and privileged credentials revoked post-breach |
| Exploitation of Public-Facing Application | T1190 | Vulnerability in systems, now patched per ShinyHunters' claim |
| Data from Information Repositories | T1213 | Canvas messages and student PII exfiltrated at scale |
| Exfiltration over C2 Channel | T1041 | 3.65 TB of data transferred |
| Extortion / Financial Motivation | — | ShinyHunters' extortion-as-a-service model applied |
Compliance and Legal Exposure for Affected Institutions
This breach doesn't just affect Instructure — it creates direct compliance obligations for every institution using Canvas. Security and compliance teams need to understand the regulatory surface immediately.
COPPA — the FTC's updated Children's Online Privacy Rule that took effect April 22, 2026 — covers under-13 user data and tightens consent and breach notice requirements. Canvas serves K-12 down through elementary, which means a meaningful share of affected accounts may belong to children inside the COPPA boundary.
State student privacy laws — including New York Education Law 2-d, California's SOPIPA, and roughly 130 similar statutes across other states — impose vendor-specific notification and security duties separate from FERPA. Instructure's contract clauses with each district are what state attorneys general will read first.
For reference, the comparable PowerSchool breach — which exposed K-12 student and teacher data in January 2025 — resulted in a $17.25 million settlement and class actions in 11 states.
| Regulation | Applicability | Key Obligation Triggered |
|---|---|---|
| FERPA | All U.S. institutions | Notify institutions; institutions notify parents/students |
| COPPA (updated 2026) | K-12 with under-13 users | Tightened breach notice, parental consent requirements |
| GDPR | EU/UK institutions | 72-hour supervisory authority notification |
| State laws (NY 2-d, SOPIPA, ~130 others) | State-by-state | Vendor contract obligations, AG scrutiny |
| NIST CSF 2.0 | Recommended framework | Respond and Recover functions now active |
What Affected Institutions and Users Should Do Now
For Security and IT Teams
Following NIST CSF 2.0's Respond and Recover functions and CIS Control 17 (Incident Response Management), affected institutions should take the following steps immediately:
- Audit active Canvas API integrations — identify all third-party tools with OAuth tokens or API keys and revoke anything unused or unrecognized
- Enforce MFA on all admin and faculty accounts — this is a hard requirement, not a configuration recommendation
- Alert affected students and teachers — names, emails, and student IDs are now potentially in threat actor hands; targeted phishing campaigns will follow
- Review Salesforce integration access — ShinyHunters has a demonstrated pattern of using Salesforce as a pivot point; audit OAuth connections and SOQL query logs
- Preserve forensic artifacts — before rotating all credentials, ensure logs from April 30 onward are preserved for investigation
- Engage legal counsel — determine your institution's notification obligations under FERPA, applicable state laws, and COPPA if you serve students under 13
For Students and Families
For affected students and teachers, the most immediate concern is targeted phishing. With names, school email addresses, and student IDs in the wrong hands, attackers can build convincing scams that look like they come from an administrator or classmate. Private messages add another layer of risk if they reference grades, family situations, or anything sensitive.
Be skeptical of any email referencing your specific student ID, Canvas message threads, or course-specific details. ShinyHunters has a track record of selling breach data that fuels phishing campaigns months after the initial incident.
🔑 Key Takeaways
- Verify your Canvas API token inventory now — every dormant third-party integration is a potential unmonitored access path; revoke anything not actively in use
- Enforce MFA on privileged accounts without exceptions — admin and faculty credentials without MFA are the most common initial access vector in edtech breaches
- Treat private messages as sensitive PII — Canvas message data has the same regulatory and reputational weight as academic records; classify and protect accordingly
- Incomplete remediation after a first breach is a second breach waiting to happen — post-incident reviews must assess for persistence and lateral movement, not just patch the known vulnerability
- Understand your COPPA and FERPA notification timelines — state attorneys general are watching edtech closely after PowerSchool; proactive, accurate disclosure reduces regulatory exposure
- Watch for downstream phishing campaigns — ShinyHunters monetizes breach data over months, not days; user awareness programs need to run beyond the immediate news cycle
Conclusion
The Instructure breach is not a story about a single vulnerability or an unlucky quarter. It is a story about what happens when a threat actor as persistent and operationally sophisticated as ShinyHunters targets a platform that serves tens of millions of students with inconsistent security enforcement and complex third-party integration sprawl. Two breaches in eight months from the same group is not bad luck — it is a signal that the root cause of the first incident was never fully resolved.
For security teams in higher education and K-12, this is the moment to pressure-test your assumptions about edtech vendors. Ask your Canvas representative for their third-party penetration test results. Review every API integration your institution has authorized. Enforce MFA on every privileged account today, not next quarter. The students and educators in your institutions trusted these platforms with their conversations, their academic identities, and in many cases their most personal communications. That trust demands a more rigorous security posture than the education sector has historically applied.
Start with a Canvas API integration audit this week. It takes less time than a breach notification letter.
Frequently Asked Questions
Q: Was my Canvas password exposed in the Instructure breach? Instructure has stated that, as of their May 2 update, there is no evidence that passwords, dates of birth, government identifiers, or financial information were involved. What was confirmed as exposed includes names, email addresses, student ID numbers, and private messages between users. That said, the investigation is ongoing — change your Canvas password and enable MFA if your institution offers it.
Q: How many students and schools are actually affected? Instructure has not released specific user or institution counts. ShinyHunters claims 275 million individuals across nearly 9,000 schools, while also referencing 15,000 institutions in other parts of their post. These figures have not been independently verified by BleepingComputer, SecurityWeek, or Instructure itself. The confirmed breach is real; the full scope remains under investigation.
Q: Is this the same group that hacked PowerSchool in January 2025? No — the PowerSchool breach was attributed to a separate threat actor. However, ShinyHunters did attack Instructure's Salesforce instance in September 2025, making this the second confirmed ShinyHunters intrusion at Instructure in under a year. Both incidents reflect the same pattern: targeting widely-used edtech platforms with aggregated student PII.
Q: What should a school district's IT team do right now? Immediately audit all active API integrations connected to your Canvas instance and revoke any dormant or unrecognized tokens. Enforce multi-factor authentication on all administrative and faculty accounts. Notify your legal team to assess FERPA, state student privacy law, and COPPA notification obligations. Monitor for phishing attempts targeting students and staff using their confirmed Canvas data.
Q: Why does ShinyHunters keep targeting education platforms specifically? Education platforms aggregate enormous volumes of identity-grade PII — names, institutional email addresses, student IDs, and private communications — across millions of users on a single system. Combined with historically weak MFA enforcement, complex third-party integration environments, and regulatory constraints that slow disclosure, they represent high-yield, lower-resistance targets compared to heavily fortified financial or healthcare systems. The trend is not accidental; it reflects deliberate targeting strategy.
Enjoyed this article?
Subscribe for more cybersecurity insights.