Skip to main content
Emerging ThreatsData Breaches

Instructure Breach Exposes 280 Million Records from 8,800 Educational Institutions

Brightly-lit school hallway with computers and students in background.

“The ShinyHunters extortion gang claimed responsibility for the attack and says it stole 280 million records for students, teachers, and staff.”

ShinyHunters says 280 million records from 8,809 schools and platforms

The group identified by the source as ShinyHunters published a list it says contains 8,809 colleges, school districts, and online education platforms whose Canvas instances were impacted. The threat actor told BleepingComputer it stole 280 million records tied to students and staff. Reported record counts per institution range from tens of thousands to several million.

How the attackers say they pulled data from Canvas

The attackers claim they used Canvas data export features to harvest the information, specifically naming DAP queries, provisioning reports, and user APIs. The threat actor said these export mechanisms yielded hundreds of gigabytes of user records, messages, and enrollment data.

Types and volume of data the parties say were exposed

Instructure, the cloud-based education technology company best known for its Canvas learning management system, disclosed it was investigating a cyberattack and later revealed a data breach. According to the disclosure reported by BleepingComputer, users' names, email addresses, and private messages were exposed. The threat actor also claimed to have taken enrollment data and other user records in “hundreds of gigabytes.”

Institutional responses: University of Colorado Boulder, Rutgers, Tilburg University

Some universities have issued public statements after the disclosure. The University of Colorado Boulder warned that “CU is aware of a data breach involving Instructure, the parent company of Canvas, our learning management system. This reported data breach is a nationwide event affecting multiple institutions.”

Rutgers stated, “At present, Rutgers has not been notified of any direct impact to our campus. Canvas remains available and operational to Rutgers faculty, staff, and students.” Tilburg University said an investigation is underway: “It has not yet been confirmed whether data of Tilburg University students and staff has been impacted. Further questions have been submitted to the supplier to obtain more clarity.”

How technologists, institutions, and students are positioned in this incident

  • Technologists and security teams: The published claim that export features — DAP queries, provisioning reports, and user APIs — were used focuses scrutiny on those APIs and export paths; the threat actor’s account also centers the response on assessing data export controls and the volume of harvested records.
  • Affected universities and procurement leaders: With a published list of 8,809 institutions and per-institution record counts, campus leadership faces the task of determining whether their Canvas instance appears on the list and what specific record counts, if any, apply to their community.
  • Students and staff: Instructure’s disclosure that names, email addresses, and private messages were exposed means those categories of users are named in the company’s public characterization of the breach and are the populations most plainly identified in the reported leak.

BleepingComputer reports it has not independently verified whether the institutions on the published list were actually impacted and is not naming specific organizations from the list for that reason. Multiple requests for comment sent to Instructure went unanswered in the reporting; BleepingComputer says it has contacted Instructure again with additional questions and will update the story if it receives a response.

The public record in this episode contains three concrete nodes: Instructure’s disclosure that a breach occurred and that names, email addresses, and private messages were exposed; the ShinyHunters claim of 280 million records and a published list of 8,809 institutions with per-institution counts; and a small but growing set of university statements that range from awareness to ongoing investigation. Which institutions were actually affected, and how many records from each, remains a question the parties reporting the incident say requires further verification.

Source: BleepingComputer — Instructure hacker claims data theft from 8,800 schools, universities