Instructure, the technology company behind the Canvas platform, has confirmed that some users’ personal data was exposed as a result of a cyberattack. The ShinyHunters group has claimed responsibility for the incident, saying the scale of the breach may be far larger than the scope so far confirmed by the company.
Instructure first disclosed the incident on Friday, 1 May, describing it as a cybersecurity event carried out by a criminal threat actor. A day later, the company updated its statement, confirming that user data from some institutions using its services had been compromised.
According to information provided by Instructure, the exposed data may include names, email addresses, student identification numbers and messages exchanged between users. At the same time, the company stressed that it had found no evidence that passwords, dates of birth, identity document numbers or financial data had been exposed.
In connection with the incident, some Canvas services, including Canvas Data 2 and Canvas Beta, were placed under maintenance from 1 May. Steve Proud, Instructure’s Chief Information Security Officer, said on 2 May that the incident had been contained. The company also said it had deployed security patches, increased monitoring and rotated application keys, requiring customers to reauthorise API access.
The ShinyHunters group published a statement on its website presenting a different assessment of the incident’s impact. According to the hackers, the breach affected nearly 9,000 educational institutions worldwide and led to the theft of data belonging to 275 million people, including students and teaching staff. The criminals also claim they gained unauthorised access to Instructure’s Salesforce environment, and that the compromised datasets relate to nearly 15,000 institutions located in North America, Europe and the Asia-Pacific region.
These claims have not been confirmed by Instructure. The company has not addressed in detail the group’s statements regarding the number of affected institutions, the number of users or the scope of messages allegedly stolen. ShinyHunters reportedly set a ransom payment deadline of 6 May.
This is another major reputational crisis for Instructure in recent months. In September 2025, the company reported a separate breach resulting from a social engineering attack targeting its Salesforce environment. That incident was also attributed to ShinyHunters. So far, the company has not specified whether the two attacks are directly connected or form part of a single long-term hacking campaign.
Canvas is used by thousands of universities, schools and educational institutions around the world. The case reflects a broader problem of cyberattacks targeting the education sector and SaaS providers whose infrastructure supports many institutions at the same time. External cybersecurity experts and law enforcement agencies are involved in the investigation.
