The ShinyHunters cybercrime group has claimed responsibility for breaching Instructure’s Canvas learning management system for a second time, compromising the data of at least 275 million students, teachers, and administrators worldwide, cybersecurity researchers confirmed Thursday.
The breach, which represents one of the largest education-sector data leaks in history, has sent shockwaves through academic institutions across more than 100 countries that rely on the Canvas platform for course management, grading, and remote learning infrastructure.
The Scale of the Breach
According to threat intelligence analysts tracking the incident, ShinyHunters gained access to Instructure’s backend systems through compromised API credentials, exfiltrating a database containing personally identifiable information spanning over a decade of platform usage. The group — the same responsible for previous high-profile breaches including AT&T and Ticketmaster — systematically downloaded database dumps over several weeks before announcing the breach on their Telegram channel.
“This is not merely a data breach; it is a systemic failure of educational data protection that will have generational consequences,” said Dr. Elena Vasquez, a cybersecurity policy researcher at the Center for Digital Education. “We are talking about the academic records, personal details, and behavioral data of millions of minors whose privacy has been permanently compromised.”
The exposed data includes full names, email addresses, institutional affiliations, course enrollment histories, grades, IP addresses, and in some cases, protected characteristics such as disability accommodations and special education status. Researchers note that the combination of educational and personal data creates uniquely dangerous opportunities for identity theft and targeted social engineering.
Instructure’s Response
Instructure, the Salt Lake City-based edtech company that operates Canvas, confirmed the security incident in a statement, acknowledging that “an unauthorized third party gained access to certain systems” but stopped short of confirming the 275 million figure cited by ShinyHunters.
“We are working with leading cybersecurity firms and law enforcement to investigate the scope of this incident,” the company said. “We have implemented additional security measures and are in the process of notifying affected institutions.”
Critics have questioned why Instructure’s security posture remained vulnerable after the group’s first breach of the platform in 2024, which affected approximately 30 million users. The scale of the second breach — nearly ten times larger — suggests that the company’s remediation efforts were insufficient, analysts say.
“When a threat actor successfully breaches the same target twice, each time with exponentially greater impact, it signals a fundamental failure of security architecture rather than a simple operational lapse. The question now is whether educational institutions can afford to remain on a platform that has demonstrated it cannot protect their students’ most sensitive data.”
Global Impact on Education
The breach affects virtually every tier of education. K-12 school districts that adopted Canvas during the pandemic-driven shift to remote learning are particularly vulnerable, as child data is subject to stricter protection regulations under laws such as FERPA in the United States and GDPR in Europe.
Universities face an equally daunting challenge. With course catalogs, grade histories, and enrollment data now in the hands of threat actors, institutions must grapple with the possibility of targeted phishing campaigns aimed at students and faculty, as well as the potential for academic fraud and credential misuse.
In the United Kingdom, where Canvas is used by several major universities, the Information Commissioner’s Office announced it had opened a preliminary inquiry into whether Instructure had taken adequate data protection measures. Similar investigations are expected from data protection authorities across the European Union. Australia’s Cyber Security Centre issued an advisory urging all educational institutions using Canvas to immediately reset credentials and review access logs for suspicious activity.
The ShinyHunters Playbook
ShinyHunters has established itself as one of the most prolific cybercriminal operations of the decade, specializing in the exfiltration and monetization of large-scale data sets. The group typically operates by identifying compromised credentials on dark web markets, using them to gain initial access to corporate networks, and then escalating privileges to reach core databases.
Researchers believe the group exploited a combination of exposed API keys and compromised administrator accounts to bypass Instructure’s authentication layers. The group has threatened to release the full dataset unless Instructure meets an undisclosed ransom demand, though cybersecurity experts caution that paying ransoms rarely prevents data from eventually appearing on criminal forums.
What Students and Educators Should Do Now
Cybersecurity experts recommend that anyone who has used Canvas take the following steps immediately: change your Canvas password and ensure it is not reused across any other accounts; enable multi-factor authentication if your institution offers it; monitor financial accounts and credit reports for signs of identity theft, particularly if your Canvas account contained sensitive personal information; and be vigilant for phishing emails that may reference your educational history — a common tactic following education-sector breaches.
Institutions are advised to review their data retention policies and consider whether historical student data spanning more than a decade needs to remain accessible through the platform. “Data minimization is the most effective defense against breaches of this scale,” noted Webb. “If the data doesn’t exist on the platform, it cannot be stolen.”
Broader Implications for Edtech Security
The Canvas breach has reignited a broader debate about the security practices of educational technology companies, many of which expanded rapidly during the COVID-19 pandemic without corresponding investments in cybersecurity infrastructure. The edtech sector, valued at over $400 billion globally, has become an increasingly attractive target for cybercriminals due to the volume and sensitivity of the data it holds.
Unlike financial institutions, which are subject to rigorous regulatory oversight and mandatory breach reporting timelines, edtech companies often operate in a regulatory gray area, with oversight split between education authorities and data protection agencies. This fragmentation creates gaps that threat actors have been quick to exploit.
Lawmakers in the United States have signaled that the breach will prompt renewed calls for the passage of a comprehensive federal data privacy law, which has stalled in Congress for years. “When 275 million students and teachers have their personal information exposed, it becomes impossible to argue that the current patchwork of state-level regulations is sufficient,” said Senator Maria Cantwell, who has long championed federal privacy legislation.
For now, the 275 million individuals whose data was swept up in the ShinyHunters breach face an uncertain future, their educational histories now a commodity traded on the dark web. As Instructure works to contain the damage and rebuild trust, the message from cybersecurity experts is unequivocal: the era of treating student data as an afterthought must end.
This is a breaking news story and will be updated as more information becomes available.
