Educational technology company Instructure has confirmed a data breach in which personal data of users was exposed. The ShinyHunters group has claimed responsibility, alleging that nearly 9,000 schools worldwide were affected and that data of 275 million individuals was stolen, including private messages between students and teachers.
Instructure, best known for its Canvas learning management system used by schools and universities worldwide, disclosed the incident on Friday. A day later, the company confirmed that personal data had been compromised. According to Instructure’s statement, the exposed information includes names, email addresses, and student ID numbers, as well as messages between users.
“While we continue actively investigating, thus far, indications are that the information involved consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users,” the company stated. Passwords, dates of birth, government identifiers, and financial data were reportedly not involved.
As part of its response, Instructure deployed patches, increased monitoring, and rotated application keys. Customers must re-authorize API access for new keys to be issued.
ShinyHunters claims massive scale
ShinyHunters, the financially motivated extortion gang behind numerous high-profile breaches, has listed Instructure on its data leak site. The group claims to hold over 240 million records tied to students, teachers, and staff, spanning almost 15,000 institutions across North America, Europe, and East Asia/Oceania. The gang also alleges that Instructure’s Salesforce instance was breached.
ShinyHunters has been responsible for a wide range of high-profile data theft operations, previously targeting companies including Google, AT&T, and Air France-KLM via Salesforce environments. In September 2025, the group claimed to have stolen 1.5 billion Salesforce records from 760 companies. More recently, the group also listed Red Hat on its leak site, with security researchers describing the group’s platform as functioning like extortion-as-a-service.
BleepingComputer could not independently verify the scope of the breach. Instructure has not responded to questions about when the breach occurred or whether it is being extorted. The investigation remains ongoing, with third-party cybersecurity experts and law enforcement involved.