Education tech firm Instructure confirms data breach affecting student privacy
While the attacker alleges millions of records were compromised, TechCrunch could not independently verify the scale of the incident. Access to the Canvas platform has been restored following maintenance.
Education technology company Instructure has confirmed a data breach involving students' private information. The hacking and extortion gang ShinyHunters has claimed responsibility for the incident, stating that they stole names, personal email addresses, and messages exchanged between teachers and students.
A member of ShinyHunters shared a sample of the allegedly stolen data with TechCrunch, revealing records from two schools in the United States. One institution is located in Massachusetts, where the sample contained messages with names, email addresses, and some phone numbers. The other school, based in Tennessee, had its students' full names and email addresses included in the sample.
Instructure has stated that passwords and other specific data types were unaffected by the breach. The company reports having over 8,000 institutional customers globally. ShinyHunters provided a list of approximately 8,800 allegedly affected schools, though TechCrunch could not confirm whether all listed institutions were actually customers of Instructure or if they were fully impacted by the intrusion.
The hacking group alleges the breach impacted nearly 9,000 schools worldwide and 275 million people's data, including students, teachers, and other staff. In an online chat, a ShinyHunters member told TechCrunch that the total unique emails included in the stolen data amount to 231 million. However, TechCrunch noted that these figures could not be independently verified.
ShinyHunters is an established extortion gang that has targeted universities and cloud database companies in recent months, threatening to publish stolen data unless ransoms are paid. Financially motivated hacking groups are known to exaggerate the scale of data breaches to attract media attention and pressure victims into paying ransoms.
When reached by TechCrunch, Instructure's spokesperson Kate Holmes declined to answer direct questions regarding the incident, referring inquiries to the company's official update page. As of Tuesday, Instructure reported that some products, including Canvas, have been restored for customers following maintenance.
