ShinyHunters Claims 275M Records Stolen in Canvas LMS Breach; 8,800 Schools Warned as Ransom Deadline Approaches

A threat actor operating under the alias ShinyHunters claims to have exfiltrated approximately 275 million records from Canvas LMS, the learning management system operated by Instructure, in a breach that has now affected more than 8,800 educational institutions across the United States and internationally. Instructure confirmed detecting unauthorized access to its systems on April 29 and acknowledged that the initial compromise stemmed from Free-For-Teacher accounts, which the company has since disabled. The disclosure signals a significant data security failure at scale, with one of the education sector's most widely deployed platforms now at the center of a potentially massive exposure event.

ShinyHunters, a threat actor with a documented history of selling stolen data on dark web forums, provided BleepingComputer with a list of 8,809 affected institutions alongside per-school record counts. The exposed data reportedly includes usernames, email addresses, student identification numbers, and private messages between users—ShinyHunters claims several billion messages were accessed. The full scope of the breach remains unverified by independent third parties, and Instructure has not publicly confirmed the 275 million record figure. Among the institutions identified are Columbia University, Rutgers, Princeton, Harvard, Georgetown, and Kent State, alongside school districts across more than twelve states. International exposure extends to institutions in the United Kingdom, Australia, New Zealand, Sweden, and the Netherlands.

The ransom deadline ShinyHunters has set falls on May 12, raising the prospect that stolen data could be published or sold if demands are not met. Several institutions have already taken precautionary measures. The University of Texas at San Antonio rescheduled Friday finals, while the North Carolina Department of Public Instruction severed Canvas access through the NCEdCloud platform entirely. Multiple universities advised students against logging into the platform. Canvas has since resumed normal operations, though the breach has reignited scrutiny over the security of third-party integrations and free-tier accounts on platforms handling sensitive student data.