Student and Teacher Data Exposed in Instructure Cyber Incident

Instructure, the company behind the Canvas learning management system, confirmed a cyber incident that exposed student and institutional information and disrupted portions of its platform environment.

The attack was later claimed by the extortion group ShinyHunters, which alleged it stole massive volumes of records tied to schools around the world.

This incident places attention on education technology providers that manage communications, coursework, identity data, and operational systems for millions of users.

While Instructure said passwords, financial information, government identifiers, and birth dates were not compromised, the exposed information still included personal student data and private communications exchanged through educational platforms used every day by schools and universities.

Why It Matters: Education platforms now hold large stores of personal information tied to students, teachers, administrators, and institutional operations. A breach involving a centralized provider can expose data across thousands of organizations at the same time and interrupt systems tied to daily instruction and communication.

• The Exposed Data Included Personal Records and Private Communications: Instructure confirmed attackers accessed names, email addresses, student ID numbers, and messages exchanged between users at affected institutions. Data samples reportedly shared with journalists included communications between students and teachers, course enrollment information, and some phone numbers. The company stated there is no evidence that passwords, financial records, government identifiers, or dates of birth were stolen.

• ShinyHunters Claimed the Breach Affected Nearly 9,000 Schools: The group alleged the stolen data covered up to 275 million people connected to schools and universities across North America, Europe, and Asia-Pacific regions. The hackers also claimed they accessed billions of private messages and information tied to Instructure’s Salesforce environment. Those figures have not been independently verified.

• Canvas Sits at the Center of School Operations for Many Institutions: The platform is used to manage coursework, grading, assignments, communications, and online learning activity. Because schools rely on Canvas for daily operations, Instructure’s containment measures created disruptions for some customers. The company said institutions were required to reauthorize API integrations after application keys were rotated during remediation efforts.

• The Incident Drew Attention to Identity Systems and Third-Party Integrations: Instructure said its response included revoking privileged credentials and access tokens, rotating application keys, deploying patches, and increasing monitoring. Those actions suggest attackers may have gained access through privileged systems, cloud services, or connected integrations tied to the platform environment.

• The Breach Follows a String of Attacks Targeting Education Providers: ShinyHunters has targeted educational institutions and cloud platforms in prior campaigns involving organizations such as Harvard University, the University of Pennsylvania, McGraw Hill, ADT, and Rockstar Games. The incident also follows the 2025 PowerSchool breach, which exposed sensitive student and teacher records tied to more than 62 million students and 9.5 million teachers and later resulted in lawsuits and legal settlements connected to cybersecurity failures.

Go Deeper -> Educational company Instructure reports cyber incident – The Record

Instructure confirms data breach, ShinyHunters claims attack – Bleeping Computer

Hackers steal students’ data during breach at education tech giant Instructure – TechCrunch