Instructure Data Breach Exposes Student Data to ShinyHunters

Key Takeaways

• ShinyHunters stole student names, email addresses, and teacher-student messages from Instructure's Canvas platform
• Hackers claim 275 million people and nearly 9,000 schools were affected, though these numbers are unverified
• Instructure says passwords and other sensitive data types were not compromised in the breach

Instructure, the company behind the widely used Canvas learning management system, has confirmed that hackers stole students' private information in a data breach. The ShinyHunters hacking and extortion gang claimed responsibility.

The stolen data includes student names, personal email addresses, and messages exchanged between teachers and students. Instructure confirmed these categories match what the company knows was taken.

ShinyHunters shared a sample of the stolen data with TechCrunch. The sample contained records from two U.S. schools, one in Massachusetts and one in Tennessee. The Massachusetts school's data included messages with names, email addresses, and some phone numbers. The Tennessee school's data had students' full names and email addresses.

Scope of the Breach Remains Unclear

On its data leak site, ShinyHunters claims the breach affected close to 9,000 schools worldwide and 275 million people. That count allegedly includes students, teachers, and other staff. In a chat with TechCrunch, a group member said the stolen data contains 231 million unique email addresses.

These numbers cannot be independently verified. Financially motivated hacking groups are known to exaggerate their claims to attract media attention and pressure victims.

Instructure says on its website that it serves more than 8,000 institutions. ShinyHunters shared a list of about 8,800 schools allegedly affected. TechCrunch could not confirm whether all listed institutions were actually compromised or even Instructure customers.

What Instructure Says Was Not Compromised

The data sample TechCrunch reviewed did not contain passwords. Instructure has stated that passwords and certain other data types were not affected by the breach. The company has not specified which other categories remained secure.

Instructure spokesperson Kate Holmes declined to answer TechCrunch's questions about the incident. She directed inquiries to the company's official page where it is publishing breach updates.

As of Tuesday, Instructure said some products, including Canvas, were restored for customers after maintenance. The company has not clarified whether this maintenance was directly related to the breach response.

ShinyHunters' Recent Activity

Instructure is the latest corporate target for ShinyHunters. The group has focused on universities and cloud database companies in recent months. Their pattern: steal large volumes of personal information, then threaten to publish it online unless the company pays a ransom.

Canvas is Instructure's flagship product. The platform lets educational institutions manage coursework, assignments, and student communication. Both schools in the leaked sample appeared to use Canvas based on information from their websites.

What Schools Should Do Now

Educational institutions using Canvas should monitor Instructure's official updates page for breach disclosures. If your institution receives notification that it was affected, communicate clearly with students and parents about what data may have been exposed.

• Check Instructure's official breach update page for your institution's status
• Alert users that their email addresses may be used in phishing attempts
• Review any messages sent through Canvas that contained sensitive information
• Consider whether phone numbers shared in Canvas messages need additional protection

The stolen messages between teachers and students present a particular risk. These communications may contain personal details beyond what's in a typical database record.

Frequently Asked Questions

Were passwords stolen in the Instructure breach?

No. Instructure says passwords were not affected, and the data sample reviewed by TechCrunch did not contain passwords.

How many schools were affected by the Instructure hack?

ShinyHunters claims nearly 9,000 schools were affected. Instructure has over 8,000 institutional customers. The exact number of affected schools has not been independently verified.

What data was stolen in the Instructure data breach?

Student names, personal email addresses, and messages between teachers and students were confirmed stolen. Some phone numbers were also in the leaked sample.

Who is ShinyHunters?

ShinyHunters is a hacking and extortion gang that steals data from companies and threatens to publish it unless victims pay a ransom. They have recently targeted universities and cloud database companies.

Is Canvas safe to use after the breach?

Instructure says Canvas has been restored after maintenance. However, institutions should monitor official updates and assume previously shared data may be compromised.

Source: TechCrunch / Lorenzo Franceschi-Bicchierai