ShinyHunters Breached Instructure: 275 Million Students, Teachers and Staff Potentially Exposed

If your school uses Canvas, your data may already be in the hands of one of the most active hacking groups on the planet.

On May 1, 2026, Instructure, the company behind the Canvas learning management system, confirmed a cybersecurity incident. Two days later, the extortion gang ShinyHunters claimed responsibility and posted Instructure on its dark-web leak site.

What Happened?

On April 30 at 5:06 PM MDT, Instructure posted a notice on its status page saying that some customers were “experiencing limited disruption to tools relying on API keys.” The team said it had taken “precautionary steps to help maintain service stability.” Canvas Data 2 and Canvas Beta were placed under maintenance.

By the next morning, on May 1, CISO Steve Proud posted a second notice confirming that Instructure had “experienced a cybersecurity incident perpetrated by a criminal threat actor.” Outside forensics experts were brought in and Canvas Test also went into maintenance.

On May 2 at 12:46 PM, Proud posted a longer update. The company said it believed the incident had been contained. It listed four specific steps it had taken: revoking privileged credentials and access tokens tied to affected systems, deploying security patches, rotating certain application keys as a precaution (even though there was no evidence they were misused), and increasing monitoring across all platforms. The same update confirmed that names, email addresses, student ID numbers, and messages between users had been accessed. Instructure said it found no evidence that passwords, dates of birth, government identifiers, or financial information were involved.

Seven minutes later, at 12:53 PM, a separate notice went out about the rotated application keys. End users would need to re-authorize access to connected tools. The reissued keys now contain a timestamp in the name so users can tell they are legitimate Instructure-created keys during the re-authorization process.

Canvas Data 2 was restored for all customers by May 3. Canvas Beta came back online May 4.

Then on May 3, ShinyHunters made their move. The group listed Instructure on its Tor-based extortion site with a blunt threat: “PAY OR LEAK.”

What Data Was Exposed?

Instructure acknowledges that the exposed data includes names, email addresses (mostly institutional .edu accounts), student IDs, and Canvas inbox messages.

According to the threat actors 3.65 TB of data, around 275 million individuals, roughly 9,000 schools and 15,000 institutions across North America, Europe, and parts of Asia and Oceania were affected. The group also claims it breached Instructure’s Salesforce instance and grabbed more data.

Who Is Affected?

A list of organizations reviewed by SOCRadar shows the institutions that could be affected by this breach.

It includes Ivy League and major research universities like Harvard, Stanford, MIT, Columbia, Princeton, Yale, and Penn State. Large K-12 districts like Clark County (Las Vegas), Broward County, Houston ISD, and Charlotte-Mecklenburg are on it. So are international institutions spanning the UK, Australia, Scandinavia, the Netherlands, Singapore, Brazil, Mexico, and more.

Corporate tenants appear too. Amazon, Cisco, Apple, Disney, Chevron, Dell Technologies, Goldman Sachs, and Bloomberg all show up, alongside government agencies including the Department of Defense, FEMA, and the Federal Bureau of Prisons.

The list covers all 50 US states and institutions across six continents. It runs from kindergarten classrooms to graduate programs to corporate training platforms.

This is Instructure’s Second ShinyHunters Breach in Eight Months

In September 2025, Instructure disclosed a separate breach where social engineering was used to compromise its Salesforce instance. At the time, the company said no Canvas product data was accessed and that the exposed information was mostly public business contact details.

That September breach was part of a much larger campaign against Salesforce customers. The operation used voice phishing (vishing) to trick employees into approving a malicious “Data Loader” app, then drained CRM data at scale. It was claimed that 1.5 billion Salesforce records were stolen from around 760 organizations.

Now, eight months later, Instructure is back in the same spot. Two breaches, both with Salesforce involvement, both attributed to the same group.

The Edtech Campaign

Instructure is the latest target in a clear pattern. ShinyHunters has been systematically going after education technology companies.

• PowerSchool was hit in December 2024. That breach affected 62 million students and 9.5 million teachers.
• Infinite Campus, the K-12 student information system used by 11 million students across 46 states, was compromised through its Salesforce integration in March 2026.
• McGraw-Hill was breached in April 2026, with 13.5 million unique email addresses confirmed.
• ShinyHunters also went after universities directly. In late 2025, the group breached the University of Pennsylvania, Harvard University, and Princeton.

ShinyHunters Strikes Again: Canvas Goes Down During Finals Week

On May 8, ShinyHunters attacked Instructure again and replaced Canvas login pages across affected schools with a message directing institutions to contact ShinyHunters directly if they wanted to prevent their data from being leaked. The message included a new deadline: May 12.

That deadline applies to Instructure as well. According to ShinyHunters, the company has not responded to the group at all since the original breach.

Instructure took its infrastructure offline later that afternoon. When Canvas came back up, ShinyHunters’ message had been replaced with a notice about “scheduled maintenance.”

The timing is brutal since this is finals week for a large number of universities and K-12 districts on the platform. After this second incident, Instructure was removed from ShinyHunters’ leak site, which suggests that negotiations may be underway. If a company gets taken down from such sites, it usually means one of two things: either the company has started talking to the attackers about paying, or they’ve already paid.

Instructure Reaches Agreement with ShinyHunters

On May 12 Instructure confirmed it had reached an agreement with ShinyHunters. The group reportedly returned the stolen data and provided shred logs as proof of deletion. Instructure said no customers would be extorted as a result and that the agreement covers all affected institutions.

ShinyHunters exploited vulnerabilities in the Free-for-Teacher environment, a free, limited version of Canvas for individual educators. The same flaw was used in both the original breach and the May 7 defacement. Instructure has since shut down Free-for-Teacher accounts while it works on fixes.

What Should You Do If You Use Canvas?

The most immediate risk is phishing. With names, institutional emails, student IDs, and message context in the hands of attackers, scams will be convincing. They could look like they come from administrators, classmates, or teaching assistants. The topics can be related to the incident itself, payment issues or other concerning topics that can push people to act and click links without thinking too much.

Treat any “Canvas”-themed email as suspicious for a while. Instead of clicking links go to your accounts directly. Change the password and check for active Canvas sessions and OAuth-connected integrations you do not recognize.

Also, check whether your institutional email, username, or other exposed details already appear in dark web or data leak sources:

SOCRadar’s Dark Web Monitoring helps organizations detect leaked credentials and exposed data tied to their domains, so security teams can act before attackers turn that information into phishing, account takeover, or fraud.