ShinyHunters said it stole more than 3.6 terabytes of uncompressed data and claimed 275 million records affecting 8,809 educational organizations — a single brief that, according to Instructure and BleepingComputer reporting, preceded a second intrusion meant to force negotiations.
What Instructure confirmed about the April 29 breach
On April 29, Instructure discovered its network had been breached and, in the company's words, “immediately revoked the unauthorized party’s access, started an investigation, and engaged outside forensic experts.” A few days later the company confirmed that data was stolen. The threat actor ShinyHunters published material on their data leak site claiming more than 3.6 terabytes of uncompressed data and a total impact that touches 8,809 schools, universities, colleges and online platforms.
How ShinyHunters exploited Canvas Free-for-Teacher with XSS
BleepingComputer reported that both the initial breach and the later defacements involved multiple cross-site scripting (XSS) vulnerabilities. According to that reporting, ShinyHunters injected malicious JavaScript by exploiting XSS bugs within user-generated content features in Canvas. The attacker used that injected code to obtain authenticated admin sessions and to perform privileged actions.
Instructure confirmed the exploited security issue affected the Free-for-Teacher environment, the free, limited version of Canvas LMS for individual educators. The same vulnerability that was used in the initial intrusion was used again on May 7 in a second hack intended to draw attention and pressure Instructure into entering ransom negotiations.
Scope of data the actor claims to have taken
ShinyHunters' post and Instructure's subsequent statements outline both volume and likely contents. The actor claimed 3.6 terabytes of uncompressed data and said the breach impacts 8,809 educational organizations and 275 million records belonging to students, teachers and other staff members. Instructure and reporting indicate the data exfiltrated in the first breach likely includes usernames, email addresses, course names, enrollment information, and messages.
By contrast, the company and reporting say the later defacement — the May 7 modification of Canvas login portals — did not itself compromise additional data, but was used to place an extortion message and a deadline: ShinyHunters warned Instructure and the schools that use its platform that they had until May 12 to reach out and negotiate a ransom.
Instructure’s operational response and service availability
After discovering the April 29 breach, Instructure temporarily took Canvas offline “to prevent the malicious activity from spreading, determine the cause, and to apply additional safeguards,” the company said. The vendor shut down Free-for-Teacher accounts until the issues were resolved. Canvas service was restored and available for use since May 9th, according to the company.
How technologists, educators, and adversaries are positioned
- Technologists and security teams: The demonstrated chain — user-generated content XSS → injected JavaScript → authenticated admin sessions — highlights how client-side scripting flaws can escalate privileges inside a hosted LMS. Teams responsible for hosted and multi-tenant environments will be watching for the specific user-content controls and sanitization gaps that were exploited.
- Educators and affected institutions: Schools and individual educators using the Free-for-Teacher environment are directly named in the response: Instructure shut those accounts and restored Canvas on May 9th. Institutions named in ShinyHunters’ claim (8,809 organizations) should be confirming whether they are included in the published data and monitoring communications from Instructure and forensic investigators.
- Adversaries and extortion actors: The case shows a two-stage pattern — an initial data exfiltration followed by a public defacement using the same vulnerability as a pressure tactic. That tactic — combining data publication with visible portal defacement and a short negotiation deadline — may inform how other extortion actors structure campaigns against platform providers.
The record assembled in public reporting and in Instructure’s disclosures leaves two immediate, concrete questions: will the deadlines and negotiation demand set by ShinyHunters produce any engagement, and will forensic analysis publicly reconcile the actor’s claimed 3.6 terabytes and 275 million records with the inventories of impacted organizations? The answers will determine whether this episode remains primarily a high-profile extortion case, or becomes a broader test of how hosted educational platforms and their customers respond to large-scale data exfiltration.




