The education technology giant Instructure has confirmed a substantial data breach affecting its widely-used Canvas learning platform, leading to the exposure of personal information belonging to students, teachers, and other users. The incident, which also caused service disruptions, was disclosed by the company on April 30, 2026, and has since been attributed to cybercriminals. The notorious hacker group ShinyHunters has claimed responsibility for the attack, alleging the theft of data pertaining to an enormous number of individuals.
Scope of the Breach and Compromised Data
Instructure, headquartered in Salt Lake City, Utah, is best known for its Canvas learning management system, a platform utilized by numerous educational institutions and organizations globally. Following the initial discovery of service disruptions, Instructure launched an investigation with the assistance of external forensic experts and law enforcement. The company stated that the cybercriminals gained access to personal information such as names, email addresses, and student ID numbers. Additionally, user messages were also compromised. Crucially, Instructure has indicated that there is currently no evidence to suggest that passwords, dates of birth, government identifiers, or financial information were accessed in this breach.
Hacker Group Claims Massive Data Exfiltration
Adding to the severity of the incident, the cybercriminal group ShinyHunters has listed stolen data on its Tor-based leak site. The group claims to have exfiltrated 3.65 terabytes of data, impacting an estimated 275 million students, teachers, and other individuals across close to 9,000 educational institutions worldwide. ShinyHunters also alleges that Instructure's Salesforce instance was compromised. While Instructure is working to understand the full extent of the breach, the claims made by ShinyHunters suggest a far wider impact than initially detailed by the company.
Response and Remediation Efforts
Upon identifying the attack, Instructure moved swiftly to contain the incident and mitigate its impact. The company revoked privileged credentials and access tokens, deployed security fixes, and enhanced monitoring protocols. Access to the Canvas Data 2 platform was largely restored by Sunday, May 3, 2026. Instructure has emphasized its commitment to working diligently to address the situation and minimize any further fallout. The company has not yet provided specific details on how many institutions and individual users were affected, nor has it officially identified the threat actor beyond acknowledging the involvement of cybercriminals.