Dateline: May 4, 2026
ShinyHunters Claims Instructure Data Breach Affecting 275 Million Canvas Users
Instructure, the U.S. EdTech company behind the Canvas learning management system, has confirmed a cybersecurity incident that exposed personal information belonging to students and teachers worldwide. The hacking group ShinyHunters has claimed responsibility, alleging the theft of 3.65 terabytes of data tied to 275 million users across nearly 9,000 educational institutions.
What Happened?
Trouble started on April 30. Instructure flagged service disruptions affecting tools that rely on API keys, and by May 1 the company confirmed it was dealing with a criminal threat actor. Outside forensics experts were called in, and Canvas Data 2 and Canvas Beta were placed under maintenance.
In a follow up notice, Chief Security Officer Steve Proud said attackers viewed user identifying information, including names, email addresses, student ID numbers, and private messages between users. Instructure says there is no evidence so far that passwords, birthdates, government IDs, or financial information were touched.
Service was largely restored by Sunday, May 3. That same day, ShinyHunters added Instructure to its leak site on Tor, claiming the breach also reached the company’s Salesforce instance and that a vulnerability had been used to siphon the data before it was patched.
This is Instructure’s second confirmed breach in roughly eight months. In September 2025, the same group exploited a social engineering attack against the company’s Salesforce environment, raising fresh questions about whether last year’s remediation was thorough enough.
What’s the Impact?
For affected students and teachers, the most immediate concern is targeted phishing. With names, school email addresses, and student IDs in the wrong hands, attackers can build convincing scams that look like they come from an administrator or classmate. Private messages add another layer of risk if they reference grades, family situations, or anything sensitive.
For schools and universities, the headache is regulatory. Canvas serves K-12 districts, colleges, and entire education ministries, which means FERPA, COPPA, and roughly 130 state student privacy laws all come into play. Most place the notification burden on the institution rather than the vendor, so administrators are now scrambling to figure out what they owe their communities.
For the broader EdTech industry, this is the second time in under a year that ShinyHunters has walked away with Canvas data. The pattern, also seen at PowerSchool and Infinite Campus, points to cloud CRM environments and social engineering as the recurring weak spots in platforms holding student records.
How to Avoid This
For schools using Canvas, the first move is to revisit every third party integration linked to the platform. The 2025 incident already showed Salesforce was a weak link, and the new breach reinforces that. Map which tools have access to which data and prune anything dormant or unnecessary. It cuts the blast radius if another vendor gets hit.
MFA needs to be a hard requirement on admin and teacher accounts, not a suggestion buried in a setup guide. Privileged credentials and API tokens should rotate on a schedule, and unusual access patterns deserve a real review rather than a place at the bottom of an alert queue.
For families, the practical step is to be skeptical of any email that references a specific student ID or a Canvas message thread. ShinyHunters has a track record of leaking or selling data that fuels spam and phishing campaigns months later, so vigilance should not stop when the news cycle moves on.
When the Backdoor Was Always Open
The Instructure breach reads like a case study in what happens when third-party integrations go unreviewed. ShinyHunters didn’t need a sophisticated zero-day, they needed a Salesforce connection that hadn’t been hardened after the first incident.
Secure.com’s AI-powered no-code workflows empower teams to continuously check for critical configuration gaps across cloud environments and connected SaaS applications. When a third-party integration like Salesforce becomes a recurring entry point (as it did twice for Instructure) the question isn’t just whether you’ve patched the known vulnerability.
It’s whether you have visibility into every connection, permission, and access token that surrounds it. Secure.com’s Infrastructure Teammate maps that entire surface, flags drift in real time, and triggers remediation workflows before a second breach becomes the headline.
For the thousands of schools whose student data now sits on a leak site, the question isn’t whether they trusted Canvas, it’s whether they had visibility into everything Canvas was connected to. In environments where third-party tools hold sensitive records, continuous integration monitoring isn’t optional. It’s the difference between a contained incident and a second breach.
