Instructure Breach: Hacker Claims Data Theft From 8,800 Schools and Universities

Extortion group ShinyHunters claims to have stolen 280 million records from 8,809 schools and education platforms via Instructure's Canvas, exposing students’ and staff’s names, emails, and private messages; while some institutions confirm investigations, Instructure has not publicly commented and the scope of impacted organizations remains unverified.

TechLogHub

May 5, 2026

0 views

Instructure Data Breach: 280 Million Records Exposed Across 8,809 Institutions

Overview

A breach affecting Instructure, the company behind Canvas, has been linked to the extortion group ShinyHunters.
The attacker claims to have stolen 280 million records connected to students and staff from 8,809 schools, districts, and online education platforms.
The incident centers on data exposed through Canvas and related export features used by institutions to manage courses, enrollment, and communications.

What Happened

On May 1, 2026, Instructure acknowledged a cyberattack and later disclosed a data breach involving user names, email addresses, and private messages.
The breach is tied to the ShinyHunters group, which has publicly claimed responsibility and described the data as including a wide array of student and staff records.
The threat actor published a list of 8,809 institutions rumored to be impacted, along with the number of records allegedly affected by each institution.

The Adversary and Claims

The attacker group ShinyHunters claims the data theft leveraged Canvas export capabilities.
Methods cited include Data Access Pack (DAP) queries, provisioning reports, and user APIs to harvest generated data.
The size of the alleged data haul is described in hundreds of gigabytes, encompassing user records, messages, and enrollment information.
The actor has presented a per-institution tally, emphasizing the breadth of potential exposure across K-12, higher education, and online learning organizations.

Scope of Impact

The scope covers thousands of institutions across the United States and beyond, with record counts ranging from tens of thousands to several million per institution.
BleepingComputer notes that the outlet did not independently verify specific organizations listed by the threat actors.
The data likely includes both personal identifiers and sensitive course-related communications, depending on how each institution used Canvas.

Data Exposed

Personal details such as names and email addresses appear to be among the exposed data.
Private messages and enrollment-related information are cited as part of the compromised records.
The exact nature and extent of data vary by institution, reflecting differing Canvas configurations and data-export practices.

How Data Was Stolen

The actors claim access to Canvas export features used for legitimate administrative tasks.
Tools implicated include DAP queries, provisioning reports, and the Canvas user APIs that integrate with district or campus systems.
The reported breach suggests a focus on aggregating large volumes of user data rather than targeting a single system or campus.

Reactions and Institutional Responses

Some universities have issued statements about potential impact while remaining cautious about confirming direct effects.
The University of Colorado Boulder warned that the data breach could be nationwide and affect multiple institutions, though it did not name impacted campuses specifically.
Rutgers University indicated that, at the time of the statement, no direct impact to its campus had been confirmed and Canvas remained available to its community.
Tilburg University noted ongoing investigations and indicated that it had asked the supplier for clarity on whether Tilburg's students and staff were affected.
Instructure has faced inquiries about the incident but had not publicly confirmed all details beyond the breach itself and subsequent statements from partner institutions.

Open Questions and Next Steps

It remains to be determined which individual institutions were affected and the precise scope of compromised data per campus.
The long-term implications for students, faculty, and staff—particularly around privacy and credential exposure—are still under assessment by institutions and third-party experts.
Ongoing investigations aim to establish how the breach occurred, which data stores were accessed, and what steps are needed to mitigate risk going forward.

Notes on Verification

The numbers and institutional lists are based on the threat actor’s claims and independent reporting, with institutions and Instructure providing varying levels of confirmation.
As discussions continue, universities and education technology partners are expected to clarify which systems were impacted and what remediation actions are required to protect affected communities.

Instructure Data Breach: 280 Million Records Exposed Across 8,809 Institutions

Overview

A breach affecting Instructure, the company behind Canvas, has been linked to the extortion group ShinyHunters.
The attacker claims to have stolen 280 million records connected to students and staff from 8,809 schools, districts, and online education platforms.
The incident centers on data exposed through Canvas and related export features used by institutions to manage courses, enrollment, and communications.

What Happened

On May 1, 2026, Instructure acknowledged a cyberattack and later disclosed a data breach involving user names, email addresses, and private messages.
The breach is tied to the ShinyHunters group, which has publicly claimed responsibility and described the data as including a wide array of student and staff records.
The threat actor published a list of 8,809 institutions rumored to be impacted, along with the number of records allegedly affected by each institution.

The Adversary and Claims

The attacker group ShinyHunters claims the data theft leveraged Canvas export capabilities.
Methods cited include Data Access Pack (DAP) queries, provisioning reports, and user APIs to harvest generated data.
The size of the alleged data haul is described in hundreds of gigabytes, encompassing user records, messages, and enrollment information.
The actor has presented a per-institution tally, emphasizing the breadth of potential exposure across K-12, higher education, and online learning organizations.

Scope of Impact

The scope covers thousands of institutions across the United States and beyond, with record counts ranging from tens of thousands to several million per institution.
BleepingComputer notes that the outlet did not independently verify specific organizations listed by the threat actors.
The data likely includes both personal identifiers and sensitive course-related communications, depending on how each institution used Canvas.

Data Exposed

Personal details such as names and email addresses appear to be among the exposed data.
Private messages and enrollment-related information are cited as part of the compromised records.
The exact nature and extent of data vary by institution, reflecting differing Canvas configurations and data-export practices.

How Data Was Stolen

The actors claim access to Canvas export features used for legitimate administrative tasks.
Tools implicated include DAP queries, provisioning reports, and the Canvas user APIs that integrate with district or campus systems.
The reported breach suggests a focus on aggregating large volumes of user data rather than targeting a single system or campus.

Reactions and Institutional Responses

Some universities have issued statements about potential impact while remaining cautious about confirming direct effects.
The University of Colorado Boulder warned that the data breach could be nationwide and affect multiple institutions, though it did not name impacted campuses specifically.
Rutgers University indicated that, at the time of the statement, no direct impact to its campus had been confirmed and Canvas remained available to its community.
Tilburg University noted ongoing investigations and indicated that it had asked the supplier for clarity on whether Tilburg's students and staff were affected.
Instructure has faced inquiries about the incident but had not publicly confirmed all details beyond the breach itself and subsequent statements from partner institutions.

Open Questions and Next Steps

It remains to be determined which individual institutions were affected and the precise scope of compromised data per campus.
The long-term implications for students, faculty, and staff—particularly around privacy and credential exposure—are still under assessment by institutions and third-party experts.
Ongoing investigations aim to establish how the breach occurred, which data stores were accessed, and what steps are needed to mitigate risk going forward.

Notes on Verification

The numbers and institutional lists are based on the threat actor’s claims and independent reporting, with institutions and Instructure providing varying levels of confirmation.
As discussions continue, universities and education technology partners are expected to clarify which systems were impacted and what remediation actions are required to protect affected communities.

Instructure Breach: Hacker Claims Data Theft From 8,800 Schools and Universities

More from the Blog

Microsoft Adds Copilot Data Controls to All Storage Locations

Previously harmless Google API keys now expose Gemini AI data

Microsoft says bug in classic Outlook hides the mouse pointer

Stay Updated

Instructure Breach: Hacker Claims Data Theft From 8,800 Schools and Universities

More from the Blog

Microsoft Adds Copilot Data Controls to All Storage Locations

Previously harmless Google API keys now expose Gemini AI data

Microsoft says bug in classic Outlook hides the mouse pointer

Stay Updated