ShinyHunters Canvas LMS Breach: 275 Million Students' Data at Risk of Public Leak Tomorrow

ShinyHunters exploited a vulnerability in Instructure's backend infrastructure to gain unauthorized access on April 30, 2026. The attack caused immediate disruption: Canvas users and API integrations began reporting authentication failures before Instructure issued its first incident notice, indicating the attacker disrupted credential validity during the exfiltration activity. Once inside, ShinyHunters accessed the Canvas Data 2 data pipeline and Canvas Beta environment, which are the primary mechanisms through which Instructure delivers bulk institutional data to customers.

Instructure has not publicly disclosed the specific vulnerability class or its identifier. The company confirmed it deployed patches addressing the exploited flaw, rotated application keys, revoked privileged credentials and access tokens, required customers to re-authorize API integrations, and engaged outside forensic experts and law enforcement within 24 hours.

The pattern matches ShinyHunters' established methodology precisely: identify an authentication flaw or misconfigured access control in a cloud-hosted SaaS platform, exfiltrate bulk datasets before the target detects the breach, then list the victim on a dark web extortion site with a short payment deadline.

The speed of exfiltration at 3.65 TB across hundreds of millions of records indicates persistent access over several days before detection. The Canvas Data 2 pipeline, designed for bulk institutional data exports, is the most plausible primary exfiltration vector given the scale of message content in the stolen dataset. Bulk export paths that bypass standard API rate limiting allow rapid data extraction without generating the high-volume connection anomalies that might trigger security alerts at normal ingestion volumes.

The Instructure data breach exposed names, email addresses, student ID numbers, and private messages between users. Instructure confirmed these categories in its public disclosure and stated that passwords, dates of birth, government identifiers such as Social Security Numbers, and financial information were not involved.

ShinyHunters claims the full dataset contains 3.65 TB of data covering 275 million individuals, with 231 million unique email addresses verified by security researchers who reviewed samples the group provided. TechCrunch confirmed records from two U.S. institutions, one in Massachusetts and one in Tennessee, were genuine. Phone numbers appeared in samples from institutions that collected them during enrollment. Enrolled course information revealing the academic programs students attend was also present in verified samples.

The most sensitive element of the breach is the private message corpus. ShinyHunters describes the haul as several billions of private messages between students and teachers, which includes confidential academic discussions, mental health communications routed through Canvas's messaging function, accommodation requests submitted to instructors, and personal details shared in what students believed was a private channel. This exposure goes far beyond what email addresses and student IDs alone represent.

For organizations in Canvas' customer base, the risk extends beyond the directly exposed data. Attackers with 231 million verified emails linked to course enrollments and institutional affiliations can construct highly targeted spear-phishing campaigns that reference specific courses, instructors, and academic context to appear credible. The combination of name, email, student ID, and message history creates a phishing profile far more convincing than a standard credential dump.

**ShinyHunters** is a financially motivated cybercriminal group first identified in 2020 that specializes in large-scale data theft and extortion from SaaS platforms, cloud storage services, and enterprise systems. The group has claimed responsibility for breaches affecting more than 1.5 billion user records across multiple campaigns, making it one of the most prolific data exfiltration operations active today.

Confirmed ShinyHunters operations include the 2024 Snowflake credential-harvesting campaign that compromised Ticketmaster (560 million records), AT&T (73 million records), Santander Bank (30 million records), and Hot Topic (54 million records). In the education sector, the group previously carried out the [ShinyHunters 45-million-record McGraw-Hill Salesforce breach](/blog/shinyhunters-mcgraw-hill-salesforce-breach-45-million), demonstrating persistent interest in platforms holding academic and professional records. The group also targeted [Amtrak in a Salesforce breach exposing 9 million records](/blog/amtrak-shinyhunters-salesforce-breach-9-million-records), consistent with its focus on SaaS platform vulnerabilities rather than endpoint compromise.

ShinyHunters monetizes stolen data through ransom demands, dark web marketplace listings, and direct data sales to third parties. At least two individuals with alleged ties to the group have faced criminal charges in the United States and France.

In the Instructure breach, ShinyHunters reportedly demanded payment from individual institutions alongside a general demand to the company. Penn was previously given a $1 million ransom demand in a prior ShinyHunters operation and did not pay. The group targeted Canvas specifically for the breadth of its customer base: one successful breach yields data from 9,000 organizations simultaneously, delivering leverage at unprecedented scale with a single intrusion.

The Instructure breach followed a structured four-stage timeline. Security teams at affected institutions should map their own logs against these dates to identify their specific exposure window.

The Canvas Data 2 pipeline disruption on April 30 is the earliest detection signal. Any institution that logged API authentication failures, unusual bulk export activity, or unexpected key revocation errors during that window should treat those events as direct breach indicators. Institutions that received no alerts during that window should not assume they were unaffected: ShinyHunters' access may have occurred through paths that did not trigger standard alerting on Instructure's infrastructure.

For post-breach monitoring, watch for phishing emails that impersonate Canvas system notifications using familiar platform formatting. The stolen dataset gives attackers enough context to craft emails referencing specific courses, instructors, and enrollment details that will pass a casual review by targeted recipients. Credential stuffing attacks against institutional SSO systems using the 231 million exposed email addresses are a high-probability secondary threat that will persist for months after the initial breach.

ShinyHunters published a list naming roughly 9,000 institutions it claims are represented in the stolen dataset. All eight Ivy League universities are confirmed on the list. The breach spans North America, the United Kingdom, Europe, and Asia-Pacific. At Penn alone, over 306,000 individuals are reported affected.

The breadth reflects Canvas's penetration into education. Instructure reports serving nearly 9,000 school customers globally across K-12 and higher education segments. The K-12 component adds a significant child data protection dimension. In the United States, FERPA establishes federal obligations around unauthorized disclosure of student education records, particularly for minors. Institutions in the United Kingdom and European Union operate under GDPR-equivalent data protection laws with mandatory breach notification timelines and potential fines for inadequate response.

Healthcare-adjacent university programs that use Canvas to deliver medical education, mental health counseling degree curricula, and nursing programs face a separate risk class. Students enrolled in those programs may have shared sensitive personal disclosures in Canvas messages while completing clinical reflection assignments or seeking instructor support. Standard breach notification processes do not capture that risk adequately.

Organizations with employees who are alumni or current students at Canvas-using institutions should treat their data as potentially compromised. The 41 percent figure for North American higher education means most mid-to-large organizations employ individuals who are in the affected population regardless of whether their institution has issued a specific notification.

Security and IT teams at Canvas-using institutions should complete these steps before the May 8 data release deadline. The actions below address immediate exposure verification, credential security, and user protection in priority order.

The ShinyHunters Canvas LMS breach exposed 275 million students and teachers to one of the largest education data exfiltrations ever recorded, with the full 3.65 TB dataset potentially going public on May 8. Every institution running Canvas must audit API logs from April 27 to May 1, force credential resets, and warn users about targeted phishing campaigns today. The breach demonstrates the acute risk of centralizing student communications within a single SaaS platform without independent data loss prevention monitoring. Verify your institutional exposure at HaveIBeenPwned.com and contact your IT security team before the release window closes.