Instructure Breach: Hackers Threaten to Leak 8,809 Schools' Data

Key Takeaways

• ShinyHunters claims to have stolen 280 million records from 8,809 schools using Instructure's Canvas platform
• Hackers executed a second breach to deface login portals and issue ransom demands with a May 12 deadline
• Stolen data includes names, emails, student IDs, and user messages, though Instructure says no passwords or financial data was taken

ShinyHunters, the extortion group behind the Instructure breach, claims to have stolen data from 8,809 schools worldwide. The hackers say they have 280 million records from teachers, students, and staff members who use Canvas, Instructure's cloud-based learning management system.

The situation escalated on May 7 when students at multiple universities found their Canvas login pages had been defaced. Instead of the usual portal, they saw a message from ShinyHunters threatening to publish stolen data on May 12 unless Instructure negotiates a settlement.

Two Separate Breaches

ShinyHunters told TechCrunch that the defaced login portals were made possible by a second, separate breach. This means the group penetrated Instructure's systems twice. The first breach involved stealing the actual data. The second gave them access to modify what students see when they try to log in.

BleepingComputer reported that the stolen data ranges from tens of thousands to several million records per institution. The publication did not name specific affected schools.

However, some schools have been publicly identified through student reports. The Harvard Crimson reported that Harvard students lost access to Canvas at 3:30 PM on May 7. The website redirected to ShinyHunters' message claiming the group had breached Instructure "again."

UC Irvine's campus newspaper also reported that students started receiving pop-up notices with the same ransom message on Thursday.

What Data Was Stolen

Instructure confirmed the breach a few days ago. The company admitted that hackers stole:

• Names
• Email addresses
• Student ID numbers
• Messages exchanged between users on the platform

Instructure said it found no evidence that passwords, dates of birth, government identifiers, or financial information were stolen. The messages between users could include private communications between students and instructors, making this category particularly sensitive.

Instructure's Response

The company has rolled out patches for the first incident. After the warning notices started appearing on May 7, Instructure shut down Canvas for hours. This left students unable to access course materials, assignments, and discussion boards during the outage.

Canvas is widely used by educational institutions to host course websites, readings, and grade assignments. An extended outage during the semester affects teaching schedules and student access to materials.

The May 12 Deadline

ShinyHunters has set May 12 as the deadline for Instructure to negotiate. The group's message advised affected schools to push for a settlement if they don't want data from their teachers and students leaked publicly.

It's unclear whether Instructure will negotiate or how individual schools might respond. Paying ransoms to extortion groups is controversial. It can encourage future attacks, but refusing means stolen data often ends up on dark web forums.

Who Is ShinyHunters

ShinyHunters is a well-known extortion group that has been active since at least 2020. The group typically targets cloud-based services and has previously claimed responsibility for breaches at companies including Microsoft, Tokopedia, and AT&T. They often steal data first, then demand payment to prevent its release.

Frequently Asked Questions

What schools were affected by the Instructure breach?

ShinyHunters claims 8,809 schools were affected. Harvard University and UC Irvine have been publicly confirmed. BleepingComputer has not released a full list of affected institutions.

Were passwords stolen in the Canvas data breach?

Instructure says it found no evidence that passwords, dates of birth, government identifiers, or financial information were stolen. The confirmed stolen data includes names, emails, student IDs, and user messages.

What is the May 12 deadline in the Instructure hack?

ShinyHunters has threatened to publicly release stolen data on May 12, 2026, unless Instructure negotiates a settlement with the group.

Is Canvas safe to use after the Instructure breach?

Instructure has rolled out patches and temporarily shut down Canvas to address the security issues. However, the existence of a second breach suggests ongoing security concerns. Users should monitor communications from their institutions.

How many records were stolen from Instructure?

ShinyHunters claims to have stolen 280 million records total, with individual institutions losing anywhere from tens of thousands to several million records each.

Source: Engadget