ShinyHunters Claims Instructure Breach Stole Data From Nearly 9,000 Schools And 275 Million Individuals

Instructure, the education technology company behind the Canvas learning management system, confirmed a cyberattack that exposed sensitive user information and communications, while the extortion group ShinyHunters claimed responsibility and said it stole data tied to nearly 9,000 schools and 275 million individuals.

“The hacker behind a breach at education technology giant Instructure claims to have stolen 280 million records tied to students and staff from 8,809 colleges, school districts, and online education platforms”

BleepingComputer

BleepingComputer reported that the hacker behind the breach claims to have stolen “280 million records” tied to students and staff from “8,809 colleges, school districts, and online education platforms.”

BleepingComputer

TechRadar said Instructure confirmed the incident and that, “at this stage we believe the incident has been contained,” while also stating the crooks accessed “certain identifying information of users” including “names, email addresses, student ID numbers, and user communications.”

SecurityWeek described the timeline as Instructure disclosing the cyberattack on April 30 and largely addressing it by May 3, after which ShinyHunters added Instructure to its Tor-based leak site claiming the theft of “3.65 terabytes of data.”

Multiple outlets tied the breach narrative to ShinyHunters’ leak-site pressure, with TechRepublic quoting the group’s threat: “FINAL WARNING PAY OR LEAK.”

Instructure’s own statements, as quoted by SecurityWeek and Techzine Global, emphasized that “passwords, dates of birth, government identifiers, and financial data” were not involved based on current findings, even as the company said investigations were ongoing.

Across the coverage, the core dispute centered on scale and what was actually taken, with BleepingComputer noting it would not name specific organizations listed by the threat actor because it had not independently verified impact.

Instructure’s public messaging, as reflected across multiple reports, focused on containment and the types of data involved, while repeatedly declining to provide technical details about how the attackers gained access.

TechRadar wrote that Instructure confirmed the breach and said it revoked privileged credentials and access tokens, deployed patches, rotated keys, and implemented increased monitoring across all platforms, while also stating it did not say how many people were affected or who the threat actors were.

DCOD

SecurityWeek quoted Instructure’s statement that “At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved,” and said Instructure revealed attackers gained access to “names, email addresses, and student ID numbers” and that “User messages were also compromised.”

SQ Magazine similarly reported that Instructure confirmed “personal information and messages were exposed” and emphasized that “sensitive data such as passwords, dates of birth, government identifiers, and financial information were not involved.”

Techzine Global quoted Instructure’s statement that “While we continue actively investigating, thus far, indications are that the information involved consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users.”

SC Media’s brief said Instructure implemented patches, enhanced monitoring, and rotated application keys, and that the company stated there was “no evidence that passwords, dates of birth, government identifiers, or financial information were accessed.”

Security Affairs also reproduced Instructure’s incident-report language, including “Out of an abundance of caution, we rotated certain keys, even though there is no evidence they were misused – Implemented increased monitoring across all platforms.”

Even as Instructure said it would notify institutions if assessments changed, Techzine Global and Security Affairs both described the company’s posture as ongoing investigation with no evidence of certain categories of data being compromised.

While Instructure emphasized containment and disputed categories of data, ShinyHunters’ claims drove the scale figures and the pressure tactics described by multiple outlets.

“Photo illustration by Justin Morrison/Inside Higher Ed | SuperCubePL/iStock/Getty Images The higher education sector got another reminder over the weekend that it remains a prime target for cybercriminals”

Inside Higher Ed

BleepingComputer said the ShinyHunters extortion gang claimed responsibility and “says it stole 280 million records,” and it also reported that the threat actors published a list of “8,809 school districts, universities, and educational platforms” with record counts per institution.

TechRadar reported that ShinyHunters wrote “Nearly 9,000 schools worldwide affected. 275 million individuals data ranging from students, teachers, and other staff containing PII,” and it also quoted the group’s claim that “Several billions of private messages among students and teachers and students and other students involved, containing personal conversations and other PII.”

SecurityWeek described ShinyHunters adding Instructure to its leak site on May 3 and claiming “3.65 terabytes of data,” while also stating the threat actor claimed the stolen information belonged to “275 million students, teachers, and other individuals at close to 9,000 education institutions worldwide.”

SQ Magazine reported that ShinyHunters alleged it stole “between 240 million and 275 million records,” totaling “around3.65 terabytes of data,” and said the group claimed “15,000 institutions globally.”

Techzine Global said ShinyHunters claimed “nearly 9,000 schools worldwide” were affected and that “data of 275 million individuals was stolen, including private messages between students and teachers,” while also alleging ShinyHunters held “over 240 million records” spanning “almost 15,000 institutions.”

TechRepublic added that ShinyHunters gave Instructure a deadline and threat, quoting “FINAL WARNING PAY OR LEAK,” and it further described ShinyHunters’ claim that “Your Salesforce instance was also breached.”

Across these accounts, the common thread was that ShinyHunters tied the alleged theft to Canvas data export features and to Salesforce, while Instructure’s public updates did not confirm the attacker’s claimed scale.

As the breach narrative spread, some universities and institutions issued statements about potential impact and ongoing investigation, even while Instructure’s investigation continued.

BleepingComputer reported that “some universities have begun issuing statements about the potential impact,” including the University of Colorado Boulder, which warned: “CU is aware of a data breach involving Instructure, the parent company of Canvas, our learning management system. This reported data breach is a nationwide event affecting multiple institutions.”

Mashable

Rutgers issued a different message, with BleepingComputer quoting: “At present, Rutgers has not been notified of any direct impact to our campus. Canvas remains available and operational to Rutgers faculty, staff, and students.”

Tilburg University’s warning, also quoted by BleepingComputer, said: “An investigation is currently underway to determine what exactly happened and which systems were affected. It has not yet been confirmed whether data of Tilburg University students and staff has been impacted. Further questions have been submitted to the supplier to obtain more clarity.”

Instructure’s own approach to communication, as described by SecurityWeek and Techzine Global, centered on notifying impacted institutions if assessments changed, while maintaining that certain categories of data were not involved.

Security Affairs described Instructure’s incident report as saying “At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved,” and it also said the company would update its status page and notify institutions if new findings emerged.

Techzine Global added that Instructure “Customers must re-authorize API access for new keys to be issued,” tying the response to operational steps for users and administrators.

Even where outlets differed on the attacker’s claimed scale, the institutional reaction pattern was consistent: universities emphasized investigation, potential impact, and whether Canvas remained operational.

Coverage diverged across outlets in how it framed the breach’s scope, the role of Salesforce, and the implied technical pathway, even when they relied on overlapping claims from Instructure and ShinyHunters.

“Data Security, Breach Instructure confirms data breach, ShinyHunters claims responsibility May 4, 2026 Share By SC Staff”

SC Media

TechRadar emphasized Instructure’s confirmation and containment, quoting the company’s statement that “at this stage we believe the incident has been contained,” and it highlighted that “Passwords, dates of birth, government identifiers, or financial information, were not involved.”

Security Affairs

TechRepublic focused on the extortion threat and the sensitivity of private messages, stating that Instructure confirmed “a cybersecurity incident involving some Canvas LMS user information and messages,” while also quoting ShinyHunters’ “FINAL WARNING PAY OR LEAK.”

SecurityWeek centered on the operational timeline, saying the cyberattack was disclosed on April 30 and that access to “Canvas Data 2 platform was restored” by May 3, before describing the leak-site posting of “3.65 terabytes of data.”

SQ Magazine and Techzine Global both highlighted the leak-site listing and the alleged record counts, but SQ Magazine reported ShinyHunters alleged “between 240 million and 275 million records,” while Techzine Global said ShinyHunters claimed “over 240 million records” and “almost 15,000 institutions.”

BleepingComputer added a verification constraint, saying it was “not naming specific organizations listed by the threat actor” because it had not independently verified impact, while also reporting that the threat actor published “a list of 8,809 school districts, universities, and educational platforms.”

Security Affairs, meanwhile, reproduced Instructure’s incident-report language and framed the response around key rotation and monitoring, quoting “Out of an abundance of caution, we rotated certain keys” and describing the company’s statement that it had found “no evidence” of passwords, government identifiers, or financial information.

Across these differences, the common factual anchors remained Instructure’s confirmation of a cyberattack, ShinyHunters’ claim of theft, and the repeated assertion that passwords and financial information were not involved based on current findings.

Looking ahead, the sources describe a continuing investigation, ongoing monitoring, and potential notifications to institutions, alongside the threat of further leak activity tied to ShinyHunters’ deadlines.

Instructure said it was working with “outside forensics experts,” and TechRadar quoted the company’s statement that “While our investigation continues alongside our outside forensics experts, at this stage we believe the incident has been contained.”

SecurityWeek reported that Instructure announced on May 1 that the incident was perpetrated by cybercriminals and that it had retained outside forensics experts to investigate, and it said on May 2 that the attack had been contained and that certain application keys had been reissued, requiring users to reauthorize access.

Techzine Global said the company deployed patches and increased monitoring and that “Customers must re-authorize API access for new keys to be issued,” making reauthorization a concrete next step for affected users.

BleepingComputer said Instructure had not responded to repeated emails, but it also reported that universities were investigating which systems were affected and whether data of their students and staff had been impacted.

Security Affairs described Instructure’s plan to “monitor the situation and will notify institutions if new findings emerge,” while also stating that it had found “no evidence” of passwords, dates of birth, government identifiers, or financial information being involved.

On the threat side, TechRepublic and SecurityWeek both described ShinyHunters’ leak-site pressure, including “FINAL WARNING PAY OR LEAK.” and the claim that ShinyHunters uploaded “3.65 terabytes of related stolen data” on May 3, which keeps the possibility of additional disclosure tied to the extortion campaign.

Even as Instructure’s statements narrowed the confirmed categories of data, the repeated emphasis on user messages and communications—described by TechRadar as “user communications” and by SecurityWeek as “User messages were also compromised”—means the consequences for education communities depend on what further details emerge from the ongoing investigation.