Instructure, the education technology company behind Canvas LMS, has officially disclosed a data breach that involved the theft of student and user data and temporary disruption of platform services. The company confirmed that attackers exfiltrated names, email addresses, student ID numbers, and user messages from its systems, while simultaneously threatening to leak the stolen data publicly.
This disclosure provides the most specific accounting yet of what data was compromised in the breach, following Instructure's initial confirmation that a cyberattack had occurred.
What Was Stolen
Instructure has confirmed that the breach resulted in the exfiltration of the following data categories:
| Data Type | Exposure Risk |
|---|---|
| Full names | Identity, phishing |
| Email addresses | Phishing, spam, credential attacks |
| Student ID numbers | Identity fraud, account access |
| User messages | Privacy violation, social engineering |
The inclusion of user messages is particularly concerning, as internal communications between students, instructors, and administrators may contain sensitive personal disclosures, academic discussions, or information that could be weaponized in targeted social engineering attacks.
Service Disruption
Beyond data theft, the attackers also disrupted Instructure's platform services during the intrusion, temporarily affecting access to Canvas LMS for students and educators at affected institutions. The exact nature and duration of the service disruption have not been fully characterized by the company.
Canvas LMS is used by thousands of educational institutions globally — from K-12 school districts to major universities — making any service disruption a significant operational event during active academic terms.
Context: Previous Reporting and ShinyHunters
CosmicBytez Labs previously reported that the prolific ShinyHunters extortion group claimed responsibility for the attack. ShinyHunters has been tied to dozens of major data breaches in recent years, including incidents at Ticketmaster, AT&T, Snowflake, and multiple other high-profile targets.
The group's typical modus operandi — breaching systems, exfiltrating data, and threatening public release unless a ransom is paid — aligns with the pattern of this incident. Instructure has not publicly confirmed whether a ransom demand was made or paid.
Impact on the Education Sector
The breach highlights the education sector's persistent vulnerability to data theft operations. Educational institutions and their technology vendors face a challenging threat landscape:
- Large volumes of PII across students, faculty, and staff
- Limited security budgets compared to enterprise or financial sector peers
- Complex vendor ecosystems involving LMS platforms, SIS integrations, and third-party tools
- Regulatory obligations under FERPA (Family Educational Rights and Privacy Act) for US institutions
- High-value target status due to research data, intellectual property, and PII density
Canvas LMS's position as one of the dominant learning management platforms globally means a breach of Instructure's infrastructure has downstream implications for thousands of institutions that cannot be fully controlled at the institutional level.
FERPA Implications
For US educational institutions using Canvas, the breach may trigger FERPA notification obligations if education records were accessed by unauthorized parties. FERPA requires institutions to:
- Notify students when their education records have been accessed without authorization
- Maintain policies and procedures for responding to breaches of student record systems
- Work with vendors to ensure adequate data protection measures are in place
Affected institutions should consult with legal counsel to determine their specific notification obligations based on the data confirmed as compromised.
Recommendations for Affected Users
If you use Canvas LMS through your school, university, or workplace:
- Change your password immediately — Use a unique password not reused on any other service
- Enable multi-factor authentication (MFA) — Activate MFA on your Canvas account and any SSO-linked accounts
- Be alert for phishing — Attackers with your name, email, and student ID can craft highly convincing targeted phishing messages
- Monitor your student email — Watch for unusual messages claiming to be from your institution
- Notify your IT department — Your institution may have additional guidance or protective actions in progress
- Watch for identity fraud — Student ID numbers can be used in academic fraud and some identity theft scenarios
What Instructure Is Doing
Instructure has stated it is cooperating with external cybersecurity investigators and working to notify affected customers and individuals in accordance with applicable data protection laws. The company has not yet disclosed the total number of affected records or institutions.
Given the scale of Canvas LMS deployments — the platform serves tens of millions of learners — the total scope of affected individuals could be substantial once the full breach investigation is completed.
CosmicBytez Labs will continue to track this story as additional details emerge from Instructure's ongoing disclosure process.