What happened
The ShinyHunters extortion group has claimed responsibility for the cyberattack on Instructure, the company behind the Canvas learning management system, asserting it stole 280 million records tied to students, teachers, and staff across 8,809 colleges, school districts, and online education platforms. The group has published a list of affected institutions with individual record counts, ranging from tens of thousands to several million per organization.
Instructure disclosed a data breach last week confirming that users’ names, email addresses, and private messages were exposed. The company has not responded to media inquiries about the scale of the incident or the ShinyHunters attribution. The threat actor claims the data was stolen using Canvas data export features including DAP queries, provisioning reports, and user APIs, and that hundreds of gigabytes of user records, messages, and enrollment data were harvested through legitimate platform functionality rather than a technical exploit.
Several universities have begun issuing public statements. The University of Colorado Boulder described the breach as a nationwide event affecting multiple institutions. Rutgers University said it had not been directly notified of impact to its campus but acknowledged the broader incident. Tilburg University in the Netherlands said it had submitted further questions to Instructure to determine whether its students and staff were affected. BleepingComputer has not independently verified the specific institutions listed by the threat actor.
Who is affected
Students, teachers, and staff at potentially thousands of educational institutions globally face exposure of names, email addresses, private messages, and enrollment data. The inclusion of Tilburg University in public disclosures indicates the breach extends beyond US institutions. The 280 million record claim, if accurate, would make this one of the largest education sector breaches on record.
Why CISOs should care
The claimed method of exfiltration is what security leaders in the education sector should examine most closely. ShinyHunters asserts the data was taken through Canvas’s own legitimate data export features, including DAP queries and provisioning reports, rather than through a vulnerability in the platform’s core infrastructure. If accurate, this means the attacker used authorized API functionality to extract data at scale, a pattern that bypasses many traditional intrusion detection controls and raises fundamental questions about how data export capabilities in large SaaS platforms are monitored and rate-limited.
This breach also follows Instructure’s September 2025 incident involving ShinyHunters, making this the second time the same group has successfully extracted data from the same company within eight months.
3 practical actions
- Contact Instructure directly to determine whether your institution appears on the affected list: Instructure has not been proactively notifying all potentially affected institutions. Security and IT leadership at schools and universities using Canvas should initiate contact with Instructure and monitor official communications channels rather than waiting for outreach.
- Audit Canvas API access and data export configurations across your institution’s deployment: If the exfiltration method involved DAP queries and provisioning APIs, review which accounts or integrations have data export permissions within your Canvas environment, whether export activity is logged and reviewed, and whether rate limits or anomaly detection are in place for bulk data requests.
- Prepare breach notification assessments for student and staff data under applicable regulations: Educational institutions in the US face FERPA obligations, while those in the EU and elsewhere face GDPR requirements. Begin assessing notification obligations now rather than waiting for Instructure to confirm the full scope, given that multiple institutions have already independently disclosed the incident to their communities.
Also in the news today:
- DAEMON Tools Trojanized in Supply-Chain Attack to Deploy Backdoor
- FTC to Ban Data Broker Kochava From Selling Americans’ Location Data
- Student Hacked Taiwan High-Speed Rail to Trigger Emergency Brakes
- Australia Launches Cyber Incident Review Board Modeled on Disbanded US Equivalent
- North Korean Hackers Targeted Ethnic Koreans in China With Android BirdCall Malware
