Double Canvas Breach: ShinyHunters Demands Ransom as 275M+ Users' Data Stolen from 9,000 Schools

Instructure, the parent company of the Canvas learning platform, has confirmed two separate unauthorized intrusions within two weeks after the ShinyHunters extortion group claimed responsibility and set a pay-or-leak deadline for data allegedly belonging to more than 275 million students, teachers, and staff tied to nearly 9,000 educational institutions worldwide.

The company finally broke its silence on Monday, admitting that criminals exploited a security vulnerability in its Free-for-Teacher learning system to breach its infrastructure twice. The first incident surfaced when Canvas went offline last Thursday, disrupting access to course materials, grades, and due dates for thousands of colleges, universities, and K-12 schools during final exams and Advanced Placement testing. Instructure claimed the platform was fully restored by Saturday. The stolen data reportedly includes usernames, email addresses, and course names, raising concerns about credential reuse attacks across interconnected educational systems.

ShinyHunters, a known data-theft-and-extortion operation, threatened to publish the allegedly exfiltrated dataset if their ransom demands are not met. The timing of the breach—deliberately targeting a period of peak academic activity—underscores the calculated nature of the attack and the pressure it places on educational institutions already navigating complex operational challenges. Security researchers warn that the scale of the alleged breach, if confirmed, could enable widespread credential stuffing campaigns and phishing operations targeting the education sector globally. Instructure has apologized for the disruption but faces mounting scrutiny over the delay in disclosing the full scope of the compromise.