Instructure Data Breach Exposes Student Data to ShinyHunters
Key Takeaways
- ShinyHunters stole student names, email addresses, and teacher-student messages from Instructure's Canvas platform
- Hackers claim 275 million people and nearly 9,000 schools were affected, though these numbers are unverified
- Instructure says passwords and other sensitive data types were not compromised in the breach
Instructure, the company behind the widely used Canvas learning management system, has confirmed that hackers stole students' private information in a data breach. The ShinyHunters hacking and extortion gang claimed responsibility.
The stolen data includes student names, personal email addresses, and messages exchanged between teachers and students. Instructure confirmed these categories match what the company knows was taken.
ShinyHunters shared a sample of the stolen data with TechCrunch. The sample contained records from two U.S. schools, one in Massachusetts and one in Tennessee. The Massachusetts school's data included messages with names, email addresses, and some phone numbers. The Tennessee school's data had students' full names and email addresses.
Scope of the Breach Remains Unclear
On its data leak site, ShinyHunters claims the breach affected close to 9,000 schools worldwide and 275 million people. That count allegedly includes students, teachers, and other staff. In a chat with TechCrunch, a group member said the stolen data contains 231 million unique email addresses.
These numbers cannot be independently verified. Financially motivated hacking groups are known to exaggerate their claims to attract media attention and pressure victims.
Instructure says on its website that it serves more than 8,000 institutions. ShinyHunters shared a list of about 8,800 schools allegedly affected. TechCrunch could not confirm whether all listed institutions were actually compromised or even Instructure customers.
Logicity's Take
What Instructure Says Was Not Compromised
The data sample TechCrunch reviewed did not contain passwords. Instructure has stated that passwords and certain other data types were not affected by the breach. The company has not specified which other categories remained secure.
Instructure spokesperson Kate Holmes declined to answer TechCrunch's questions about the incident. She directed inquiries to the company's official page where it is publishing breach updates.
As of Tuesday, Instructure said some products, including Canvas, were restored for customers after maintenance. The company has not clarified whether this maintenance was directly related to the breach response.
ShinyHunters' Recent Activity
Instructure is the latest corporate target for ShinyHunters. The group has focused on universities and cloud database companies in recent months. Their pattern: steal large volumes of personal information, then threaten to publish it online unless the company pays a ransom.
Canvas is Instructure's flagship product. The platform lets educational institutions manage coursework, assignments, and student communication. Both schools in the leaked sample appeared to use Canvas based on information from their websites.
How major tech companies are handling external security and safety reviews
What Schools Should Do Now
Educational institutions using Canvas should monitor Instructure's official updates page for breach disclosures. If your institution receives notification that it was affected, communicate clearly with students and parents about what data may have been exposed.
- Check Instructure's official breach update page for your institution's status
- Alert users that their email addresses may be used in phishing attempts
- Review any messages sent through Canvas that contained sensitive information
- Consider whether phone numbers shared in Canvas messages need additional protection
The stolen messages between teachers and students present a particular risk. These communications may contain personal details beyond what's in a typical database record.
Frequently Asked Questions
Were passwords stolen in the Instructure breach?
No. Instructure says passwords were not affected, and the data sample reviewed by TechCrunch did not contain passwords.
How many schools were affected by the Instructure hack?
ShinyHunters claims nearly 9,000 schools were affected. Instructure has over 8,000 institutional customers. The exact number of affected schools has not been independently verified.
What data was stolen in the Instructure data breach?
Student names, personal email addresses, and messages between teachers and students were confirmed stolen. Some phone numbers were also in the leaked sample.
Who is ShinyHunters?
ShinyHunters is a hacking and extortion gang that steals data from companies and threatens to publish it unless victims pay a ransom. They have recently targeted universities and cloud database companies.
Is Canvas safe to use after the breach?
Instructure says Canvas has been restored after maintenance. However, institutions should monitor official updates and assume previously shared data may be compromised.
Need Help Implementing This?
Source: TechCrunch / Lorenzo Franceschi-Bicchierai
Huma Shazia
Senior AI & Tech Writer
Related Articles
Browse all
Robotaxi Companies Are Hiding How Often Humans Take the Wheel
Autonomous vehicle firms like Waymo and Tesla are under scrutiny for refusing to disclose how often remote operators step in to control their self-driving cars. A Senate investigation reveals major gaps in transparency, raising safety and accountability concerns.
Wisconsin Governor Throws a Wrench in Age Verification Plans
Wisconsin Governor Tony Evers has vetoed a bill that would have required residents to verify their age before accessing adult content online, citing concerns over privacy and data security. This move comes as several other states have already implemented similar age check requirements. The veto has significant implications for the future of online age verification.
Apple's App Store Empire Under Siege: The Battle for the Future of Tech
The long-running feud between Apple and Epic Games has reached a boiling point, with Apple preparing to take its case to the Supreme Court. The tech giant is fighting to maintain control over its App Store, while Epic Games is pushing for more freedom for developers. The outcome could have far-reaching implications for the entire tech industry.
Tesla's Remote Parking Feature: The Investigation That Didn't Quite Park Itself
The US auto safety regulators have closed their investigation into Tesla's remote parking feature, but what does this mean for the future of autonomous driving? We dive into the details of the investigation and what it reveals about the technology. The National Highway Traffic Safety Administration found that crashes were rare and minor, but the investigation's closure doesn't necessarily mean the feature is completely safe.
Also Read
Portal and Paladin Partner to Remove Space Junk by 2027
U.S.-based Portal Space Systems and Australian startup Paladin Space are teaming up to offer commercial debris removal services in low Earth orbit. Their combined platform will use Portal's refuelable Starburst spacecraft and Paladin's Triton payload to capture multiple small debris objects per mission.
Anthropic Launches 10 AI Agents for Finance Industry
Anthropic has released ten preconfigured AI agents targeting investment banks, asset managers, and insurers. The agents automate tasks from pitchbook creation to compliance screening, running either as plugins or autonomously on Anthropic's platform. The launch intensifies competition with OpenAI as both companies chase enterprise revenue ahead of potential IPOs.
Apple in Talks with Intel, Samsung for US Chip Manufacturing
Apple is reportedly holding early discussions with Intel and Samsung to manufacture its custom processors at their US facilities. The talks come as Apple faces capacity constraints on advanced manufacturing nodes needed for its M-series and A-series chips, most of which currently come from TSMC in Taiwan.