Skip to content
hacker_posts

Canvas LMS breach: ShinyHunters claims 275M records; Instructure says it paid for deletion

ShinyHunters exfiltrated 3.65 TB from Instructure's Canvas LMS, defaced login pages at 330 schools, then accepted a payment in exchange for 'returning' the data. The data is still out there.

Published 3 min read
breachransomwareshinyhunterseducationextortion

Instructure, the operator of the Canvas learning management system used by roughly 70% of US higher-education institutions, reached an "agreement" earlier this month with the extortion crew ShinyHunters after the group exfiltrated 3.65 TB of data covering ~275 million users across ~9,000 institutions.

The company says ShinyHunters returned the data and provided "digital confirmation of destruction." Independent researchers say what that confirmation is actually worth: nothing.

Timeline

  • April 30 – May 7, 2026: Initial exfiltration window. The attackers used Instructure's "Free-For-Teacher" tier — a no-payment account program — to obtain initial access and pivot to support-ticket data and tenant content.
  • May 3: ShinyHunters claims responsibility publicly.
  • May 7: Second wave — login portals at roughly 330 institutions are defaced with extortion messages giving Instructure until May 12 to pay.
  • May 11: Instructure announces an "agreement" with the actor.
  • May 24: Researchers continue to flag the underlying risk — that copied data does not stop being copied.

What was taken

Instructure confirmed exposure of:

  • Usernames
  • Email addresses
  • Student IDs
  • Course names and enrollment information
  • Some private messages between students and teachers

Not exposed (per Instructure): passwords, dates of birth, government IDs, financial information.

Independent reporting puts the haul at around 275 million records. The Free-For-Teacher tier was temporarily shut down during incident response.

The "agreement"

Instructure did not publicly confirm a payment amount. ShinyHunters publicly claimed it had been paid and had returned the dataset. Several security writers have made the obvious point — once a dataset has been copied to attacker infrastructure, paying for "deletion" buys a promise, not a guarantee. ShinyHunters has a track record of monetizing data months after such agreements, either via secondary sale or as fodder for follow-on extortion against named individuals.

Researcher Pieter Arntz, writing at Malwarebytes, put it bluntly: "data is not a borrowed laptop or a misplaced folder. Once copied, it can be copied again, and again."

Why this matters beyond Canvas

Two reasons.

First, the access vector. ShinyHunters got in via a free, low-friction tier intended to remove signup friction for teachers. Any product with a free tier that hands out tenant-shaped access to your platform is now reading this advisory with new attention.

Second, the precedent. If Instructure did pay, it sets a price for extortion against education-sector SaaS — a sector with thousands of similar vendors, most of whom have far weaker security posture than Instructure. Expect copycats.

If you're affected

You probably are: if you're a US student, teacher or staff member at an institution using Canvas, your name, email, course list and possibly private messages are now considered exposed.

  • Treat any unsolicited email referencing your courses, classmates, or specific instructors as a phishing attempt for at least the next 12 months. The attackers have ideal material for targeted lures.
  • If your institution issued an advisory, follow its credential-rotation guidance.
  • Be skeptical of "Canvas password reset" emails. Type the URL by hand.

This is the second ShinyHunters operation against Instructure in eight months — the first, in September 2025, hit Salesforce-side systems via social engineering. The pattern is not random.