Canvas maker Instructure reveals data breach — confirms user personal information leaked

News
By published

ShinyHunters take responsibility for Instructure attack

A hand holding a credit card in front of a laptop screen with Matrix-style data on it
(Image credit: Getty Images)
  • Instructure confirms cyberattack exposing names, emails, IDs, and user communications
  • ShinyHunters claims responsibility, alleging data theft from millions across thousands of schools
  • The incident highlights risks in third‑party integrations, with experts urging stronger access governance

Instructure, the edtech giant behind the popular Canvas learning system, has confirmed suffering a cyberattack and losing sensitive customer data.

The company issued a brief statement, confirming the hit, “While our investigation continues alongside our outside forensics experts, at this stage we believe the incident has been contained,” the notice reads.

Instructure said the crooks accessed “certain identifying information of users” at affected institutions, including names, email addresses, student ID numbers, and user communications.

Article continues below

ShinyHunters strike again

Passwords, dates of birth, government identifiers, or financial information, were not involved.

Still, having names, emails, and communications, is more than enough information to mount highly convincing phishing attacks and identity theft, which could lead to more destructive scams.

Instructure also said it revoked privileged credentials and access tokens associated with affected systems, deployed patches, rotated keys, and implemented increased monitoring across all platforms.

The company did not say how many people were affected by the breach, or who the threat actors were. However, BleepingComputer found the infamous ShinyHunters claimed responsibility by listing the company on its dark web site.

"Nearly 9,000 schools worldwide affected. 275 million individuals data ranging from students, teachers, and other staff containing PII," the crooks wrote.

"Several billions of private messages among students and teachers and students and other students involved, containing personal conversations and other PII. Your Salesforce instance was also breached and a lot more other data is involved."

Apparently, the threat actors managed to access Instructure through a vulnerability in their systems, which the company has subsequently patched. They seem to have stolen files from 15,000 institutions in different places around the world, including Europe, North America, and Asia-Pacific.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.