Tens of millions of students, teachers, and staff woke up to a security nightmare this month. A Canvas LMS data breach carried out by the ShinyHunters extortion group has exposed data from an estimated 275 million people across nearly 9,000 educational institutions worldwide — making it the largest educational security breach on record.
How the Attack Unfolded
The story starts on April 29, when Instructure discovered unauthorized access to its network. The company revoked access, launched an investigation, and brought in outside forensic experts. A few days later, it confirmed that data had been stolen.
ShinyHunters listed Instructure on its dark web leak site on May 3. The group claimed to have taken 3.65 terabytes of uncompressed data. They demanded that Instructure make contact by May 6 to negotiate a ransom, or face a full public leak. Instructure appeared to ignore the demand and instead rolled out security patches.
That decision backfired.
On May 7, ShinyHunters struck again. Rather than simply threatening a leak, the group went loud. They defaced Canvas login portals at roughly 330 institutions across the United States. Students at schools including the University of Texas San Antonio logged into Canvas and found a ransom message instead of their coursework. The timing was brutal: final exams were underway at many of those institutions.
The XSS Vulnerability Behind the Defacement
The second attack exploited multiple cross-site scripting (XSS) vulnerabilities in Canvas’s Free-for-Teacher accounts. This is a free, limited version of the platform for individual educators. XSS flaws allow attackers to inject malicious code into web pages that other users then load in their browsers. ShinyHunters injected malicious JavaScript that gave them access to authenticated administrator sessions. With those sessions, they performed privileged actions on the platform, including modifying what users see when they log in.
Instructure confirmed that the unauthorized actor made changes to the pages that appeared when students and teachers logged in through Canvas. The company took the platform offline to contain the activity and apply additional safeguards. Canvas came back online by May 9.
What Data Was Stolen
The Canvas LMS data breach exposed names, email addresses, student ID numbers, course enrollment details, and private messages between students and teachers. ShinyHunters claimed the haul runs to billions of private messages. Instructure stated there is no evidence that passwords, dates of birth, financial information, or government identifiers were part of what the group took.
The scale is difficult to overstate. ShinyHunters claims 275 million records across 8,809 institutions, including many of the most prominent universities in the United States and beyond. Schools in at least eleven US states reported disruptions. Some colleges cancelled or postponed exams entirely.
Instructure Pays, Congress Investigates
On May 11, Instructure confirmed it had reached an agreement with ShinyHunters. The company said it received digital confirmation that the stolen data was destroyed, including shred logs. Instructure also stated that no customers would face further extortion. ShinyHunters removed Instructure from its leak site and posted a message saying the matter was resolved.
The statement strongly implies Instructure paid the ransom. The company has not disclosed the sum.
The response from Washington came the same day. The U.S. House Committee on Homeland Security sent a letter to Instructure CEO Steve Daly, citing serious questions about the company’s incident response and its obligations to protect stored data. The committee requested that Instructure or a senior representative appear for a briefing by May 21. Topics would include both intrusions, the volume of stolen data, notification efforts, and coordination with federal law enforcement and CISA.
ShinyHunters: A Pattern of Escalation
This was not ShinyHunters’ first move against Instructure. The group breached the company’s Salesforce environment through a social engineering attack in September 2025. Instructure describes the two incidents as distinct events affecting different systems.
ShinyHunters has run extortion campaigns since around 2019, targeting companies including Ticketmaster, AT&T, and a long list of universities. Their methods have shifted over time. Early operations focused on bulk database theft. By 2024, the group targeted cloud credential stores at scale. Their current model centers on breaching shared vendors that serve hundreds of organizations. One successful attack then multiplies across every customer in that vendor’s portfolio.
Final Thoughts
The Canvas LMS data breach is a stark warning for any organization sitting at the center of a large institutional ecosystem. Instructure serves over 30 million active users across more than 8,000 educational institutions. That reach makes it an extraordinarily high-value target, and the consequences of a single unpatched vulnerability are severe.
For students and staff at affected institutions, the immediate concern is follow-on phishing. The stolen data gives attackers enough personal context to craft convincing impersonation attempts. They may pose as financial aid offices, IT support, or school administrators. Anyone who uses Canvas should stay alert for unusual emails or messages in the weeks ahead.
Whether the ransom payment actually resulted in data destruction remains unknown. As Instructure itself acknowledged, there is “never complete certainty when dealing with cyber criminals.”
