Industry - Data Breach
Executive Summary
Educational technology company Instructure confirmed a data breach exposing personal information of users at affected institutions, including names, email addresses, student ID numbers, and private messages between students and teachers. The ShinyHunters extortion gang claimed responsibility for the attack, alleging they accessed data on 275 million individuals across nearly 9,000 schools worldwide through a now-patched vulnerability in Instructure's systems. Instructure states no passwords, ...
What Happened
Educational technology company Instructure, which operates the widely used Canvas learning management system, confirmed a data breach on May 3, 2026, after detecting a cybersecurity incident. The ShinyHunters extortion gang claimed responsibility and stated they exploited a now-patched vulnerability in Instructure's systems to access data. Instructure disclosed that exposed information includes names, email addresses, student ID numbers, and private messages between students and teachers at affected institutions.
Who Is Affected
ShinyHunters claims the breach impacts 275 million individuals across nearly 9,000 schools worldwide, including students, teachers, and staff at educational institutions using Instructure's Canvas platform. The alleged dataset reportedly spans almost 15,000 institutions across North America, Europe, and Asia-Pacific regions. Instructure has not independently confirmed the specific number of affected schools or individuals.
Why It Matters
This breach is significant due to the massive scale claimed by the threat actors and the exposure of private student-teacher communications, which could contain sensitive academic and personal discussions. The incident highlights vulnerabilities in widely deployed educational technology platforms that store data for millions of students globally. The exposure of student identification numbers and email addresses also creates risks for targeted phishing and identity-based attacks against young users.
What You Should Do
If you or your child uses Canvas or other Instructure services, watch for official notifications from your school or institution about whether you were affected. Re-authorize API access as required by Instructure's security updates. Be vigilant for phishing emails targeting exposed email addresses, especially those appearing to come from schools or teachers, and verify any unusual communication requests through separate channels before responding.
Summary generated from verified sources and reviewed before publication. How we summarize.