Hackers from the ShinyHunters extortion group have claimed a colossal prize: data on 275 million students, teachers, and staff from nearly 9,000 schools worldwide. The target? Instructure, the edtech powerhouse behind Canvas, the learning management system that powers classrooms from K-12 to universities. And it’s no bluff. TechCrunch viewed samples of the stolen trove, confirming names, personal emails, and private teacher-student messages from schools in Massachusetts and Tennessee. TechCrunch broke the story on May 5, 2026, after ShinyHunters dangled proof to pressure Instructure into paying up—or face a full leak by May 6.
The breach unfolded quietly at first. On April 30, Instructure noticed disruptions to tools relying on API keys. Canvas Data 2 and Beta environments went into maintenance. By May 1, the company posted on its status page: “Instructure recently experienced a cybersecurity incident perpetrated by a criminal threat actor.” Services scrambled back online over the weekend, but the real damage emerged May 2. “While we continue actively investigating, thus far, indications are that the information involved consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users,” the update read. No passwords. No financial data. But billions of private messages? That’s the hook. Instructure status page.
ShinyHunters wasted no time. On May 3, they listed Instructure on their Tor-based leak site, boasting 3.65 terabytes of data—231 million unique emails included. “Nearly 9,000 schools worldwide affected. 275 million individuals data ranging from students, teachers, and other staff containing PII,” their post declared. They even claimed a hit on Instructure’s Salesforce instance. Instructure serves over 8,000 institutions; the numbers align too closely for comfort. Districts like Wayzata Public Schools in Minnesota fired off warning letters to parents. “Hackers had accessed certain systems within their environment,” the district notified, echoing names, emails, student IDs, and internal Canvas messages. FOX 9.
But this isn’t Instructure’s first rodeo. Just eight months earlier, in September 2025, social engineering attackers—also linked to ShinyHunters in some reports—breached their Salesforce setup, exposing business contacts. No product data then. Now? A repeat offender strikes the core platform. SecurityWeek detailed how the group has a pattern: Harvard, UPenn, Salesforce customers. They steal big, sample publicly, demand ransom. “This is a final warning to reach out by 6 May 2026 before we leak along with several annoying (digital) problems,” one message warned. SecurityWeek.
Universities scrambled. Rutgers IT alerted users on May 4: Canvas operational, but monitor Instructure’s page. University of Texas at Austin called it a vendor-level event, not targeted, yet confirming the same exposed fields. BleepingComputer noted the group’s claim of “several billions of private messages,” turning routine student-teacher chats—assignment pleas, feedback, even personal notes—into ammunition for phishing or doxxing. BleepingComputer. Mashable highlighted the global reach: 275 million users. Mashable.
Instructure’s response? Measured. Spokesperson Kate Holmes pointed to the status page, dodging direct questions. They’ve rotated keys, revoked credentials, hired forensics firms and law enforcement. Canvas restored for most. But silence on scale fuels skepticism. TechRadar reported on May 5: ShinyHunters’ responsibility confirmed in scope if not detail. TechRadar. Districts now face the fallout—parent panic, compliance headaches under laws like FERPA.
ShinyHunters thrives on edtech’s soft underbelly. Centralized data troves. Lax API security. The breach likely exploited those keys, granting broad access before detection. SecurityAffairs quoted the hackers’ ultimatum, noting Canvas’s ubiquity in managing courses, assignments, communications. Security Affairs. Experts on X echoed alarms. One post: “The clock is ticking for 275 million students & teachers who use Canvas.” Extortion countdown looms.
For industry pros, this screams overhaul. API gateways need zero-trust. Message encryption mandatory. Vendor risk assessments? Double down. Instructure’s customer page boasts 8,000+ partners; each now scrambles to notify, monitor dark web dumps. If leaked, expect spam tsunamis, identity theft spikes among minors. TechRepublic warned of the message trove’s sensitivity—daily school interactions laid bare. TechRepublic.
The May 6 deadline passes soon. Pay or publish? History says leak. Schools brace. Instructure investigates. One thing clear: Edtech’s data vaults just got cracked wide open.


WebProNews is an iEntry Publication