Instructure, the company behind the Canvas learning management platform, has confirmed a cybersecurity breach that exposed private user information from some institutions.
Chief Information Security Officer Steve Proud said the company is working with outside forensic experts to investigate and believes the incident was contained as of its May 2 update.
According to Instructure’s status update, the exposed information may include names, email addresses, student ID numbers, and messages between users.
The company said there is no evidence that passwords, birth dates, government IDs, or financial information were involved, but affected institutions will be notified if that changes.
ShinyHunters claims responsibility
TechCrunch shared that the hacking and extortion group ShinyHunters claimed responsibility for the breach, which reported that the group said it stole students’ names, personal email addresses, and messages sent between teachers and students.
The type of information described by the hackers matched the categories Instructure acknowledged were involved in the incident.
A member of ShinyHunters shared a sample of the stolen data. The sample included information from two U.S. schools: one in Massachusetts and one in Tennessee. In Massachusetts, the messages had names, email addresses, and some phone numbers. The Tennessee sample included students’ full names and email addresses.
Hackers claim thousands of schools were affected
The full scale of the breach is still unclear. TechCrunch reported that ShinyHunters gave them a list of about 8,800 schools they claim were affected, but TechCrunch could not confirm if all those schools were impacted or were Instructure customers. According to TechCrunch, Instructure’s website says it serves more than 8,000 institutions.
On their leak site, the hackers claimed the breach affected nearly 9,000 schools worldwide and involved data from 275 million people, including students, teachers, and staff.
A ShinyHunters member said the stolen data included 231 million unique email addresses. However, the hacking groups often exaggerate to pressure victims and get attention.
Instructure says it took containment steps
Instructure said it revoked privileged credentials and access tokens for affected systems, applied security patches, rotated some keys as a precaution, and increased monitoring across its platforms. The company’s update said the investigation is still active and it continues to work with outside forensic experts.
The incident also disrupted service.
Mashable reported that some Instructure products, including Canvas, were restored for customers after maintenance on Tuesday. Canvas is widely used by schools for coursework, assignments, and communication, so the exposure of user messages is especially sensitive, even though passwords and financial data were not involved.
Why the breach matters
The Instructure breach highlights growing concerns about attacks on education technology platforms, where one provider can hold data from thousands of schools and millions of users.
Even without passwords or financial records, names, school email addresses, student IDs, and private messages can still lead to risks like phishing, impersonation, and targeted scams.
Schools and universities now need to find out if their users were affected and what local notifications are needed.
For Instructure, the main challenge is to restore trust in Canvas as education systems rely more on cloud-based platforms for daily learning, communication, and records management.
