Educational tech giant Instructure has confirmed that data was stolen in a cyberattack, with the notorious ShinyHunters extortion gang claiming responsibility for what appears to be one of the largest education sector breaches on record.
Instructure is a U.S.-based education technology company best known for developing Canvas, a widely used learning management system that helps schools, universities, and organizations manage coursework, assignments, and online learning. The platform serves institutions across the globe, making this breach particularly significant for the education sector.
On Friday, Instructure disclosed that it suffered a cybersecurity incident and is working with third-party cybersecurity experts and law enforcement to investigate it. The company initially provided limited details but updated their statement on Saturday with more concerning information about the scope of the breach.
“While we continue actively investigating, thus far, indications are that the information involved consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users,” reads the updated statement.
The company emphasized that passwords, dates of birth, government identifiers, and financial information were not involved in the breach. However, the exposure of private messages between students and teachers raises serious privacy concerns for educational institutions worldwide.
As part of their response, Instructure has deployed patches, increased monitoring, and rotated application keys as a precautionary step. Customers are now required to re-authorize access to Instructure’s API for new application keys to be issued, which may cause temporary disruptions for institutions using the platform.
The ShinyHunters extortion gang has now listed Instructure on its data leak site, making dramatic claims about the scope of the breach. The threat actors claim to have accessed data from nearly 9,000 schools worldwide, affecting approximately 275 million individuals including students, teachers, and staff.
“Several billions of private messages among students and teachers and students and other students involved, containing personal conversations and other PII,” the gang stated on their leak site. They also claimed to have breached Instructure’s Salesforce instance and obtained additional data beyond what the company has publicly acknowledged.
ShinyHunters alleged that the data was stolen through a vulnerability in Instructure’s systems, which has since been patched. The threat actor claims their dataset contains over 240 million records with students’ names, email addresses, enrolled courses, and private messages to teachers.
Data shared by the cybercriminals suggests the alleged dataset spans almost 15,000 institutions across multiple regions, including North America, Europe, and Asia-Pacific. This global reach highlights the interconnected nature of modern educational technology and the potential for widespread impact from a single breach.
The incident comes at a time when educational institutions are increasingly reliant on digital platforms for learning management, especially following the pandemic-driven shift to online and hybrid learning models. Canvas is one of the dominant players in this space, making any security incident particularly disruptive for the education sector.
ShinyHunters is a well-known cybercriminal group that has been linked to numerous high-profile data breaches over the past few years. The gang typically operates by stealing sensitive data and then threatening to release it publicly unless a ransom is paid. Their involvement suggests this incident may be part of a broader extortion attempt against Instructure.
The education sector has become an increasingly attractive target for cybercriminals due to the valuable personal information stored in learning management systems and the typically limited cybersecurity resources available to educational institutions. This breach could prompt renewed scrutiny of security practices across the education technology industry.
Instructure has not yet responded to questions about the timeline of the breach or whether they are facing extortion demands from the attackers. The company’s investigation is ongoing, and they have promised to notify affected institutions if additional types of sensitive data are discovered to be involved.