Instructure confirms data exposure following cyberattack as ShinyHunters claims massive breach

Instructure, a U.S.-based education technology provider known for its Canvas learning management system, confirmed that user data was accessed during a recent cyberattack and is currently under investigation with the support of cybersecurity specialists and law enforcement authorities.

The company disclosed the incident on Friday and issued an update Saturday indicating that certain personal information belonging to users at affected institutions had been exposed. The compromised data includes identifying details such as names, email addresses and student ID numbers, along with user messages exchanged within the platform.

The company stated that there is no evidence at this stage that passwords, dates of birth, government-issued identifiers or financial information were involved. It added that affected institutions would be notified if the scope of exposure changes.

In response to the breach, Instructure implemented security patches, increased system monitoring and rotated application keys as a precautionary measure. Customers have been instructed to reauthorize access to the company’s application programming interface to obtain new keys.

The ShinyHunters extortion group has claimed responsibility for the attack and listed Instructure on its data leak site, asserting that the breach affects nearly 9,000 schools globally and involves data from approximately 275 million individuals, including students, teachers and staff.

The group claims the dataset contains over 240 million records, including names, email addresses, enrolled course information and private messages exchanged between users. It further alleges that billions of private communications were compromised and that the company’s Salesforce environment was also breached.

According to the group, the data was obtained through a vulnerability in Instructure’s systems that has since been patched. The dataset is described as spanning nearly 15,000 institutions across regions including North America, Europe and the Asia-Pacific.

The full extent of the breach, including the number of affected institutions and individuals, remains under investigation.