Instructure, the company behind Canvas learning management software used by millions of students globally, confirmed a data breach following a ShinyHunters extortion claim. The threat actor group posted stolen data samples on dark web forums and threatened to sell the full dataset unless Instructure paid a ransom.
ShinyHunters, known for targeting edtech and SaaS platforms, exploited unpatched vulnerabilities or credential compromise to access Instructure systems. The gang typically exfiltrates customer databases, personally identifiable information, and internal documents before demanding payment.
Instructure notified affected users and law enforcement. The company did not disclose the attack vector, timeline, or specific volume of compromised records in initial statements. Security researchers examining the leaked samples confirmed they contained legitimate Instructure customer data.
The breach affects educational institutions relying on Canvas for course management, student records, and communications. Defenders should monitor for credential stuffing attacks using exposed Instructure usernames and passwords. Organizations should enable multi-factor authentication, audit Canvas access logs for unauthorized activity, and review third-party integrations for lateral movement risks.
ShinyHunters has claimed similar breaches at Tokopedia, Artsy, and Zomato. Ransom demands typically range from tens of thousands to hundreds of thousands of dollars.