Hackers Threaten to Leak Millions of Student Records After Instructure Breach

Key facts

• Instructure, the parent company of Canvas, confirmed a data breach affecting student information.
• The hacking group ShinyHunters claimed responsibility for the breach.
• Hackers claim to have stolen 280 million records, including names, email addresses, and private messages.
• A sample of stolen data included information from two U.S. schools and data from the University of Pennsylvania.
• ShinyHunters threatened to leak the full data by May 8 unless a ransom is paid.
• The group published a list of 8,809 affected educational institutions, including Ivy League universities.
• Instructure stated the incident has been contained and some services, like Canvas, have been restored.

Millions of Student Records at Risk After Education Tech Giant Hacked

Education technology provider Instructure has confirmed a significant data breach that has exposed the private information of millions of students and staff. The hacking and extortion group ShinyHunters has claimed responsibility, threatening to release vast amounts of stolen personal data unless a ransom is paid. This incident places sensitive information from numerous educational institutions worldwide under immediate threat. Instructure, best known for its Canvas learning management system, disclosed the breach on May 1, stating it was investigating a "cybersecurity incident perpetrated by a criminal threat actor." The company later confirmed that user names, email addresses, and private messages were among the exposed data. As of Tuesday, some of its products, including Canvas, had been restored for customers following maintenance. The hackers, ShinyHunters, have been notorious for large-scale data breaches targeting major corporations. They claim to have stolen approximately 280 million records tied to students and staff from 8,809 colleges, school districts, and online education platforms. This figure includes unique emails from an estimated 231 million individuals, according to a member of the group.

Details of the Stolen Data and Hacker Demands

A sample of the allegedly stolen data, shared with media outlets, included names, personal email addresses, and messages exchanged between teachers and students. In one instance, data from a U.S. school in Massachusetts contained messages with names, email addresses, and some phone numbers. Another sample from a school in Tennessee comprised students' full names and email addresses. Crucially, the provided samples did not contain passwords or other data types Instructure stated were unaffected. ShinyHunters has set a deadline, threatening to leak the full contents of the data by May 8 if not contacted by Instructure or the affected schools. The group has also alleged possession of "billions of private messages among students, teachers, and other staff which may contain other additional information like phone numbers and home addresses." A message accompanying a data cache released on May 3 stated the group had user data from 275 million individuals along with "several billions of private messages."

Institutions Targeted and Vendor Response

The cybercrime group published a list of the nearly 9,000 institutions allegedly affected by the breach, including all eight Ivy League universities. The hackers suggested that institutions interested in preventing the release of their data could "consult with a cyber advisory firm and contact us privately." The record counts for each educational institution range from tens of thousands to several million per institution. Instructure's spokesperson, Kate Holmes, largely deferred questions to the company's official updates page, offering no direct answers to specific inquiries. The company has stated it is investigating the attack with third-party cybersecurity experts and law enforcement agencies. On May 2, Instructure released an update stating that the "incident has been contained."

University Statements and Potential Impact

Some universities have begun issuing statements acknowledging the potential impact of the breach. The University of Colorado Boulder warned that the data breach involving Instructure, the parent company of Canvas, is a "nationwide event affecting multiple institutions." Rutgers University, however, stated it had not been notified of any direct impact and that Canvas remained operational for its users. Tilburg University in the Netherlands indicated an investigation was underway to determine the exact nature and scope of the breach, noting that it had not yet been confirmed whether data belonging to its students and staff was impacted. The university stated further questions had been submitted to Instructure for clarity. The Daily Pennsylvanian confirmed that the group obtained University of Pennsylvania user data after a ShinyHunters member shared a sample including Canvas user accounts and internal messages.

History of ShinyHunters and Ransom Tactics

ShinyHunters has a history of targeting universities and cloud database companies, aiming to steal vast amounts of personal information and extort payment. The group previously targeted Penn in the fall of 2025, releasing thousands of internal files. In February, a ShinyHunters spokesperson claimed Penn had failed to pay a $1 million ransom to prevent the release of stolen files. Financially motivated hacking groups are known to exaggerate their claims to attract media attention and pressure victims. However, the scale of the data allegedly compromised in this Instructure breach, potentially affecting 275 million individuals, underscores the significant risk to personal data privacy. The group's ultimatum, with a final warning issued for May 6, 2026, before a wider leak, highlights the urgency for affected institutions to respond.

The Canvas Platform and Data Export Methods

Instructure's Canvas platform is widely used by schools and universities to manage coursework, assignments, grading, and communication between students and faculty. The threat actor claims the data was stolen by exploiting Canvas's data export features, including DAP queries, provisioning reports, and user APIs. This method allowed them to harvest hundreds of gigabytes of user records, messages, and enrollment data. The hackers claim the breach affected close to 9,000 schools globally, with the total number of unique emails included in the stolen data amounting to 231 million. While Instructure has stated the incident is contained, the potential for widespread data exposure remains a critical concern for millions of students and educators.

The bottom line

• Instructure, the company behind the Canvas learning platform, has confirmed a major data breach.
• The hacking group ShinyHunters claims to have stolen 280 million records containing student and staff personal data.
• Exposed information includes names, email addresses, and private messages, with potential for phone numbers and home addresses.
• ShinyHunters has demanded a ransom and threatened to leak the full data by May 8.
• Approximately 8,809 educational institutions worldwide are allegedly affected, including all Ivy League universities.
• Instructure has stated the breach is contained, and some services have been restored, but the full impact is still being assessed.