Educational technology giant Instructure — the company behind Canvas LMS, one of the most widely deployed learning management systems in higher education — has confirmed that a cyberattack resulted in the theft of customer data. The notorious ShinyHunters extortion gang has claimed responsibility for the intrusion.
What Happened
Instructure disclosed the security incident after ShinyHunters publicly claimed to have breached the company's systems and threatened to leak stolen data. The group, which has been linked to dozens of high-profile data theft operations against major organizations, alleged they had obtained sensitive records belonging to Instructure customers and users.
The company confirmed the breach was genuine and that unauthorized parties had accessed and exfiltrated data, though Instructure has not yet disclosed the full scope of affected records or the specific types of data compromised in the attack.
Who Is ShinyHunters?
ShinyHunters is a well-established cybercriminal extortion group responsible for a string of major data breaches over the past several years. The group typically infiltrates company systems, exfiltrates large datasets, and then threatens to publish or sell the stolen information unless a ransom is paid.
Notable previous ShinyHunters targets include:
- Ticketmaster / Live Nation — 560 million customer records (2024)
- Santander Bank — tens of millions of customer and employee records
- AT&T — call and text records for nearly all customers
- Snowflake — leveraged compromised credentials across dozens of downstream customers
- Canada Goose, Panera Bread, Figure Technology, Telus Digital, and many others
The group's targeting of Instructure follows a pattern of attacking organizations that hold large volumes of personally identifiable information (PII).
Impact on Education Sector
Instructure's Canvas LMS is used by thousands of educational institutions worldwide, including universities, colleges, K-12 school districts, and corporate training programs. A breach of this scope carries significant implications:
- Student and faculty PII potentially exposed, including names, email addresses, and institutional identifiers
- Academic records and course data may have been accessed
- Single sign-on (SSO) credentials used by millions of learners could be at risk depending on what systems were interconnected
Educational institutions using Canvas should assume their affiliated user data may have been included in the exfiltrated records until Instructure provides further clarification.
What Instructure Is Doing
Instructure stated it is actively investigating the incident with the assistance of external cybersecurity experts. The company indicated it is working to determine the full extent of the breach and will notify affected customers and individuals as required by applicable data protection laws.
No specific timeline for notifications has been confirmed publicly.
Recommendations for Affected Users
If you or your institution uses Instructure's Canvas LMS or related products, consider taking the following steps:
- Change your Canvas account password immediately, especially if it is reused elsewhere
- Enable multi-factor authentication (MFA) on your Canvas account and any linked accounts
- Watch for phishing attempts targeting your institutional email address
- Monitor for suspicious account activity across any services linked to the same credentials
- Notify your institution's IT security team so they can assess exposure and take protective action
Ongoing Investigation
The full scope of the breach — including how many records were compromised and which specific data types were accessed — is still being determined. CosmicBytez Labs will update this story as more details become available from Instructure's ongoing investigation.
This story was published based on reporting from BleepingComputer. The previous draft of this article was retracted after BleepingComputer determined initial details were partially based on an older incident; this version reflects Instructure's confirmed disclosure.