ShinyHunters Claims 3.65TB Canvas Breach: 275 Million Education Records Under Extortion Threat

Cybercriminal group ShinyHunters is claiming responsibility for a large-scale data breach targeting Canvas, the learning management system operated by Instructure, with stolen data reportedly spanning 3.65 terabytes and affecting approximately 275 million records across 8,809 school systems. The threat actors are now demanding an undisclosed ransom payment and have escalated their pressure campaign by hijacking login pages at hundreds of educational institutions, effectively placing students, educators, and staff at heightened risk of credential compromise.

The attack represents a significant escalation in the education sector's ongoing battle against data extortion. ShinyHunters, a threat actor with a documented history of high-profile breaches, appears to have targeted the core infrastructure of Canvas, a platform used extensively by K-12 and higher education institutions worldwide. By hijacking institutional login pages, the group has positioned itself to intercept authentication credentials in real time, potentially granting access to email systems, gradebooks, and sensitive student information. The breadth of affected school systems—numbering nearly 8,800—underscores the systemic nature of the threat and the challenge facing educational IT administrators who must now assess exposure across their entire user base.

Education institutions have become increasingly attractive targets for ransomware and data extortion operations due to their decentralized IT environments, high concentrations of sensitive personal data, and historically limited cybersecurity resources. Security teams are urging affected districts and universities to audit authentication flows, enforce multi-factor authentication immediately, and monitor for anomalous login activity. Instructure has not yet publicly confirmed the full scope of the breach, and the investigation remains ongoing. The incident serves as a sharp reminder that the education sector's digital infrastructure remains a high-value target for organized cybercriminal enterprises capable of exploiting interconnected systems at scale.