A threat actor is claiming responsibility for a massive breach of Instructure, the company behind the widely-used Canvas LMS learning management system, alleging the theft of 280 million data records belonging to students and staff at 8,809 colleges, school districts, and online education platforms worldwide.
What Was Claimed
According to reporting by BleepingComputer, the hacker posted a dataset for sale on a dark web forum claiming it contains 280 million records sourced from Instructure's systems. The alleged data includes:
- Student records — names, email addresses, enrollment details, and academic information
- Staff records — educator and administrator contact data
- Institutional metadata — school names, district identifiers, and platform configuration data
The breach reportedly spans 8,809 educational institutions across multiple countries, representing a significant cross-section of the global higher education and K-12 sectors.
Instructure's Canvas platform is one of the most widely deployed learning management systems globally, used by universities, school districts, and corporate training programs.
Instructure's Prior Disclosure
This claim follows an earlier disclosure by Instructure. On May 2, 2026, the company confirmed it had experienced a cybersecurity incident and was investigating its scope. The company stated it had detected unauthorized access to a portion of its environment, engaged external forensic investigators, and notified relevant authorities.
At the time of the May 2 disclosure, Instructure had not confirmed the full extent of the data involved. The hacker's public claim and the advertised dataset now suggest the scope may be significantly larger than initially indicated.
Why This Breach Is Significant
The scale of the alleged breach — 280 million records from nearly 9,000 institutions — would place it among the largest education sector breaches ever recorded:
| Breach | Year | Records Affected |
|---|---|---|
| Chegg | 2018 | 40 million student records |
| National Student Clearinghouse (MOVEit) | 2023 | 900 universities, ~890K students |
| PowerSchool | 2025 | 62.4 million student records |
| Instructure (claimed) | 2026 | 280 million records (unverified) |
Education sector breaches are particularly sensitive because they frequently involve minors, protected academic records, and data covered by FERPA (Family Educational Rights and Privacy Act) in the United States. International students may also have data protected under GDPR and other national privacy frameworks.
Threat Actor Background
The claimed breach has been attributed to the threat actor known as ShinyCobalt, a financially motivated group with a history of targeting large-scale SaaS platforms to steal bulk user datasets for sale on criminal marketplaces. ShinyCobalt has been linked to prior attacks on educational, healthcare, and enterprise software platforms in 2025 and 2026.
What Educational Institutions Should Do
Schools and universities using Canvas LMS should take the following immediate steps:
-
Monitor Instructure's official advisory channels — the company has not yet confirmed the full scope of the breach. Watch for updates at Instructure's security page and official communications.
-
Notify affected students and staff proactively, consistent with your institution's data breach notification obligations and applicable law (FERPA, GDPR, provincial/state privacy statutes).
-
Review Canvas integrations and API access — audit OAuth tokens, third-party LTI integrations, and API credentials connected to your Canvas deployment.
-
Check for anomalous activity — review login events, grade modification history, and course enrollment changes for unusual patterns.
-
Engage your DPO or legal counsel — determine your institution's notification obligations based on the data types involved and applicable jurisdiction.
-
Prepare for phishing follow-on attacks — stolen student and staff email addresses will likely be used in targeted phishing campaigns. Warn your community to be alert to suspicious emails referencing Canvas, coursework, or institutional accounts.
What Students and Staff Should Do
Individuals whose data may have been involved should:
- Change passwords on Canvas and any services sharing the same credentials
- Enable multi-factor authentication where available
- Be alert to phishing emails that reference academic content, login alerts, or course notifications
- Monitor credit and identity — student data often includes enough PII to enable identity fraud
- Contact your institution's IT department for guidance specific to your school's situation
Investigation Status
As of May 5, 2026, Instructure's investigation is ongoing. The company has not independently confirmed the hacker's claimed figure of 280 million records. The authenticity and completeness of the advertised dataset have not been independently verified by security researchers at the time of publication.
References
- BleepingComputer — Instructure Hacker Claims Data Theft from 8,800 Schools, Universities
- Instructure Security Updates
- CosmicBytez Labs — Instructure Confirms Data Breach, ShinyCobalt Claims Attack — prior coverage of the initial May 3 disclosure.
- CosmicBytez Labs — EdTech Firm Instructure Discloses Data Breach Amid Hacker Leak Threats — May 4 follow-up on evolving developments.