"Approximately 275 million individuals' data," the threat actor group ShinyHunters claimed — a staggering figure that, if accurate, would make this one of the larger breaches reported in recent weeks.
Instructure confirms data was stolen after May 1 disclosure
On May 1, Instructure, the United States–based parent company of the Canvas learning management system, disclosed a cybersecurity incident and said it was investigating the event alongside third‑party experts. The company announced the following day that it believed the incident had been contained. Instructure also said it intends to keep users informed as the investigation develops and as appropriate.
Specific records ShinyHunters and Instructure say were exposed
According to the company notice summarized in reporting, the types of information identified as compromised include:
- Names
- Email addresses
- Student ID numbers
- User messages
Instructure stated that, at this time, it does not believe birth dates, passwords, government identifiers, or financial information were impacted.
ShinyHunters claims responsibility and points to a Salesforce misconfiguration
The threat actor group ShinyHunters has claimed responsibility for the attack and asserted that roughly 9,000 schools worldwide were affected. In its public claim, ShinyHunters estimated that data for approximately 275 million individuals — described as students, teachers, and additional staff — were involved. The group also attributed the breach, like several others it has referenced in recent weeks, to a Salesforce misconfiguration and urged security leaders of companies that use Salesforce to review configuration settings to ensure they are secure.
Instructure, Canvas and the scale of potential impact
Instructure is best known as the parent company of Canvas, a learning management system widely adopted by schools and universities. The combination of a widely used education platform and the numbers cited by ShinyHunters frames why the claim of millions of records — if substantiated — would reach across students, faculty and administrative staff. Instructure’s public statements limit confirmed details to the data types listed above while investigators and third‑party experts continue their review.
What this means for security teams, procurement leaders, and end users
- Security teams: ShinyHunters explicitly pointed to a Salesforce misconfiguration and recommended that security leaders review configuration settings. Security teams at organizations using Salesforce or integrated services will watch Instructure’s investigation for confirmation of the technical cause and any indicators of compromise.
- Procurement and IT leaders at schools and universities: Institutions that deploy Canvas or other platforms provided by Instructure will monitor communications from the company and assess vendor configuration and oversight practices as they determine whether they were affected.
- End users (students, teachers, staff): The company’s notice and the group’s claim identify specific pieces of exposed data — names, email addresses, student ID numbers, and user messages — while asserting that birth dates, passwords, government identifiers, and financial data were not impacted. Users should watch for Instructure’s updates as the investigation continues.
For now, the story rests on two concurrent threads: Instructure’s confirmation that data were stolen and that the company is working with third‑party experts, and ShinyHunters’ public claim tying the incident to a Salesforce misconfiguration and offering a very large estimate of affected schools and individuals. Which of those threads accurately captures the final scope and root technical cause remains to be confirmed by the ongoing investigation. Instructure has said it will keep users informed as appropriate.
