Instructure confirmed that cybercriminals have stolen personal data belonging to 275 million users of its Canvas learning platform. The ShinyHunters extortion group claimed responsibility for the attack which affected nearly 9,000 schools worldwide and compromised names, email addresses, student ID numbers and messages between students and teachers.
The breach first surfaced on April 30 2026, when Instructure disclosed disruptions affecting tools that rely on API keys. By May 3, ShinyHunters had listed the company on its data leak site with a ransom demand and the threat “Pay or Leak.” According to SecurityWeek, ShinyHunters claimed the theft of 3.65 terabytes of data belonging to 275 million students, teachers and other individuals at close to 9,000 education institutions worldwide.
Instructure stated it has found no evidence that passwords, dates of birth, government identifiers or financial information were compromised. However, the exposed data includes enough personally identifiable information to fuel targeted phishing campaigns against anyone who has used Canvas in recent years.
The Group That Made 2026 a Catastrophic Year for Data Security
ShinyHunters has emerged as one of the most prolific data theft operations on record. The group has targeted well over 400 companies since 2020, but 2026 represents an escalation that should concern every security team. In February alone, they breached Dutch telecom Odido, exposing 6 million customer records. In March, they claimed to have stolen 350GB of data from the European Commission. TechCrunch confirmed that the total unique emails included in the stolen data amount to 231 million from this latest Instructure attack.
The Canvas breach is not ShinyHunters’ first attack on Instructure. According to multiple security researchers, this is their second breach of the company in eight months with the previous attack in September 2025 also targeting their Salesforce environment through social engineering. That pattern raises uncomfortable questions about whether the company fully remediated the first incident.
What makes ShinyHunters particularly dangerous is their systematic approach to cloud platform exploitation. Rather than relying on complex malware or zero-day exploits, they target misconfigurations in widely used business applications like Salesforce, Mixpanel and now Canvas. The group’s success rate suggests these configuration weaknesses are more common than most organizations realize.
API Keys Remain the Weakest Link in EdTech Security
The technical details of how ShinyHunters breached Canvas have not been fully disclosed but the attack pattern follows their established methodology. Instructure confirmed the initial disruption affected “tools relying on API keys”, the same access tokens that allow different software applications to communicate with Canvas.
This is consistent with ShinyHunters’ broader campaign strategy. Throughout 2025 and 2026, they have repeatedly exploited stolen API credentials and OAuth tokens to gain unauthorised access to cloud platforms. In the Salesforce Experience Cloud attacks that preceded this breach, they used modified versions of legitimate auditing tools to extract data through exposed endpoints.
The education technology sector has become a prime target because schools often lack the security resources that financial services or healthcare providers can deploy. Canvas is used by approximately 4,000 institutions globally, including universities across Europe. The platform’s reach means a single successful attack can expose data from multiple countries simultaneously.
This is also why MDR matters. Managed Detection and Response helps organizations detect suspicious access, unusual account activity, abnormal data movement and early signs of compromise before an incident grows. In an environment where cloud platforms, integrations and third-party tools are deeply connected, prevention alone is not enough. Schools and organizations need continuous monitoring and rapid response to spot threats early and contain them faster.
What Canvas Users Should Do This Week
Anyone with a Canvas account should assume their data was compromised and act accordingly. Change your Canvas password immediately, even if you have not received an official notification from your school. If you used the same password on other accounts, change those today.
The stolen data contains enough personal information including names, email addresses, student IDs to make phishing attempts highly targeted. Be sceptical of any email or message claiming to be from your school or Canvas, regardless of how authentic it appears. ShinyHunters have previously used stolen data to craft convincing social engineering campaigns against their victims.
For educational institutions using Canvas, this incident should prompt an immediate audit of third-party integrations and API access controls. Review which applications have access to your Canvas environment and whether those permissions are still necessary. ShinyHunters repeatedly exploit the trust relationships between cloud applications to move laterally through interconnected systems.
References
- Instructure confirms data breach, ShinyHunters claims attack
- Edtech Firm Instructure Discloses Data Breach
- Hackers steal students’ data during breach at education tech giant Instructure
- Canvas breach? Hackers threaten to leak messages of 275M users
- Canvas Breach May Put 275M Users, 9,000 Schools at Risk
This post is also available in:
Svenska
Related News
ShinyHunters Claims Udemy, Zara and 7-Eleven in Latest Extortion Wave
ShinyHunters claimed to have stolen 1.4 million records from online learning platform Udemy and has threatened to release the data alongside stolen information from Zara…
April 28, 2026 
Booking.com Data Breach Exposes Millions as WhatsApp Scammers Strike
Booking.com confirmed Monday that hackers accessed customer reservation data in a breach that appears to have been running undetected since early April. The travel platform…
April 15, 2026