Emerging ThreatsData Breaches

Instructure Breach Exposes Data of 275 Million Users

Analyst 207||Source: BleepingComputer
Laptop on a college campus table with a subtle hint of a data breach.

"While we continue actively investigating, thus far, indications are that the information involved consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users," Instructure wrote in an updated statement.

Instructure confirms stolen data and opens an investigation

Instructure, the U.S.-based education technology company best known for the Canvas learning management system, disclosed a cybersecurity incident on Friday and said it is working with third-party cybersecurity experts and law enforcement to investigate. The company subsequently issued an update saying personal information of users was exposed in the breach and described steps it has taken to respond.

ShinyHunters posts claims and large-scale numbers

The extortion group ShinyHunters has listed Instructure on its data leak site and posted sweeping claims about the scope of the incident. The data leak site asserts "Nearly 9,000 schools worldwide affected. 275 million individuals data ranging from students, teachers, and other staff containing PII" and alleges "Several billions of private messages among students and teachers and students and other students involved, containing personal conversations and other PII. Your Salesforce instance was also breached and a lot more other data is involved."

Separately, the threat actor claimed a dataset of over 240 million records tied to students, teachers, and staff, including students' names, email addresses, enrolled courses, and private messages to teachers. The actor said the alleged dataset spans almost 15,000 institutions across North America, Europe, and Asia-Pacific. ShinyHunters also claimed the data was stolen via a vulnerability in Instructure's systems that has since been patched.

What Instructure says was — and was not — exposed

Instructure's updated statement limited the confirmed categories of exposed information to certain identifying details and messages among users. The company said it has found no evidence so far that passwords, dates of birth, government identifiers, or financial information were involved, and promised to notify impacted institutions if that changes.

Technical response: patches, monitoring, and key rotation

As part of its response, Instructure reported it has deployed patches, increased monitoring, and rotated application keys. The company requires customers to re-authorize access to Instructure's API in order to receive new application keys. Those steps were presented as precautionary measures while the investigation continues.

What this means for schools, students, and institutional IT teams

  • Schools and universities: Several claims on the leak site name large numbers of affected institutions — including assertions of nearly 9,000 schools and as many as 15,000 institutions — that, if accurate, would point to a broad operational impact across multiple regions. BleepingComputer has not independently verified which schools, if any, are affected.
  • Students and teachers: The threat actor specifically alleges exposure of names, email addresses, enrolled courses, and private messages between students and teachers; Instructure acknowledged identifying information and messages among users were involved in the incident.
  • Institutional IT and security teams: Instructure has rotated application keys and is requiring API re-authorization for customers; institutions will need to follow those re-authorization steps and monitor for follow-on notifications from Instructure as the vendor continues its investigation.

BleepingComputer reached out to Instructure with questions about the timing of the breach and whether the company was being extorted; the outlet reported that Instructure has not responded to those specific questions. BleepingComputer also noted it has not been able to independently confirm which schools or how many individuals were impacted and has contacted Instructure with additional questions about the threat actor's claims.

The public record for now is a vendor confirmation of stolen data and an aggressive set of claims by a known extortion group. Instructure's statements describe certain categories of user identifying information and messages as involved, and the company says it has taken technical precautions while working with outside experts and law enforcement — even as the data leak site posts continue to assert far larger numbers and additional affected systems. How many institutions and individuals were actually impacted, when the theft occurred, and whether the company faced extortion remain questions the company and investigators will need to answer.

Source: BleepingComputer — Instructure confirms data breach, ShinyHunters claims attack

Data BreachEmerging ThreatsUnited StatesUser Data ExposureInstructureEducation TechnologyCanvasLearning Management System
Related Intelligence

Continue Reading

Technicians surround a prominent server terminal with a blurred screen in a brightly-lit Japanese data center.

KDDI Data Breach Compromises 14.2 Million Email Logins at Six ISPs

A massive data breach at KDDI Corporation has put 14.2 million email logins at risk, compromising sensitive information for customers across six Japanese internet service providers. The breach, discovered on June 17, exploited a vulnerability in a third-party software component used on one of KDDI's email systems.

Analyst 207
Person sitting in quiet room, holding smartphone with concern, surrounded by papers and laptop.

Russia Targets Messaging Credentials with Fake Support Texts

Beware of fake support texts that could compromise your personal data and sensitive information! A joint investigation by the Security Service of Ukraine and the FBI uncovered a systematic campaign to steal messaging platform credentials from government officials, military personnel, and activists worldwide.

Analyst 207
Developer workstation with laptop open to GitHub repository, surrounded by coding tools and notes on cluttered desk.

GitHub Repos Used to Deploy Malware via AI Coding Tools

Imagine a GitHub repository that looks perfectly safe, yet can secretly deploy malware on a developer's device - all without triggering any red flags. Researchers have demonstrated just how easily this can happen, using an AI coding agent to run a malicious payload hidden in a seemingly clean project.

Analyst 207
Person sits in quiet room with smartphone, papers, and blurred laptop screen, conveying cautious atmosphere.

FBI Warns of Russian Hackers Targeting Signal Backup Keys

Stay vigilant, as Russian hackers are now targeting Signal backup keys in an evolved phishing campaign, attempting to gain access to your historical message backups by tricking you into revealing these sensitive keys. Be cautious of messages masquerading as automated support accounts, as they may be part of this sinister plot.

Analyst 207