Ransomware group ShinyHunters claims to have breached Instructure, locking out students from Canvas
Instructure confirms names and IDs were compromised but denies loss of passwords or financial details as ransomware gang threatens to publish stolen data.
An extortion group known as ShinyHunters has claimed to infiltrate cloud-based educational technology provider Instructure, resulting in the theft of data from 8,809 schools globally. The group asserts that it has stolen approximately 280 million records containing names, email addresses, student ID numbers, and user messages from teachers, students, and staff members.
As leverage for a potential settlement, the hackers have locked students and staff out of the Canvas platform, which Instructure uses to host course materials, grade assignments, and facilitate discussions. The group has issued a deadline of May 12 for Instructure to negotiate a settlement, threatening to publish the stolen data if demands are not met.
Specific incidents of the disruption have already been reported by major institutions. Students at Harvard University lost access to Canvas at 3:30 PM on May 7, with the website redirecting to a message from ShinyHunters. Similarly, University of California Irvine students began receiving pop-up notices on Thursday displaying the ransom demand.
Instructure has confirmed the breach and stated that names, emails, and student IDs were compromised. However, the company denied the loss of passwords, dates of birth, government identifiers, or financial information. Following the emergence of warning notices on May 7, the provider rolled out security patches and shut down Canvas for several hours.
ShinyHunters claims that the defaced login portals, which were observed on the websites of three schools by TechCrunch, were enabled by a second, separate breach distinct from the initial data theft. The group shared record counts with BleepingComputer, noting that data theft per institution ranged from tens of thousands to several million records.
The total number of affected schools and the exact nature of the data within the 280 million records remain based solely on the hacker's claims and have not been independently verified by external auditors. Instructure continues to address the security incident while facing the threat of data publication.
