ShinyHunters — the threat group behind some of the largest data theft operations of the past three years — is claiming responsibility for a breach at Instructure, the company that operates Canvas, the learning management platform used by roughly 9,000 educational institutions worldwide, with an alleged 275 million records already posted to its dark web leak site.
The Scope of the Alleged Canvas Breach
Instructure confirmed a breach affecting its Canvas platform in a disclosure aligned with ShinyHunters publishing the company on its Tor-based leak site on May 3, 2026. The threat group claims to possess 3.65 terabytes of stolen data encompassing approximately 275 million students, teachers, and staff members.
Instructure’s disclosure confirmed that names, email addresses, student identification numbers, and user messages were among the stolen records. The company stated that passwords, government identification numbers, dates of birth, and financial data were not in the scope of what was accessed.
The distinction matters legally but not completely. The combination of name, email, student ID, and institutional affiliation is sufficient for targeted phishing, credential stuffing against other platforms where those email addresses are registered, and identity fraud in educational and financial contexts. A partial dataset is not a safe dataset.
If ShinyHunters’ claimed figure of 275 million is verified, it would rank among the largest single breach events in the education sector’s recorded history. Canvas’s market penetration — the platform is used across K-12 schools, community colleges, universities, and corporate training programs — makes the exposure breadth plausible.
The Minor Problem: COPPA, FERPA, and GDPR
What distinguishes this breach from a typical enterprise data incident is the victim population. Canvas’s K-12 user base means a meaningful share of the 275 million claimed accounts may belong to children under 13. That triggers COPPA (Children’s Online Privacy Protection Act) in the United States, which requires enhanced protections and parental notification for data collected from minors. It also triggers FERPA (the Family Educational Rights and Privacy Act), which governs the handling of student educational records and their disclosure.
For institutions with European students or staff, GDPR carries its own breach notification requirements, including a 72-hour reporting window to supervisory authorities and individual notification obligations. A breach at the scale claimed here, touching institutions across 9,000 organizations in multiple countries, creates an extraordinarily complex multi-jurisdictional notification and compliance obligation.
The reputational dimension compounds the legal one. Parents entrust educational institutions with their children’s data. Administrators entrust their LMS vendor with the data that flows through every assignment, grade, and communication in their institution. A breach of this scope at the platform level means all of that trust was exposed through a single point of failure.
How Attackers Pivoted from Canvas to Instructure’s Salesforce Instance
One technical detail stands out in the breach disclosure: a Salesforce instance operated by Instructure was also compromised as part of the attack. This is not incidental — it reflects a pattern that has become increasingly common in data theft campaigns.
In multiple major breaches of 2024 and 2025, attackers who gained access to an organization’s core platform also pivoted laterally into connected CRM and cloud tools. In the Snowflake-adjacent breaches of 2024, attackers compromised cloud data warehouse tenants through stolen credentials then pivoted to Salesforce, Zendesk, and other connected systems. The same pattern appears here.
Salesforce environments in educational settings often contain contact records, sales and enrollment pipeline data, alumni relationships, and potentially donor financial information. A Salesforce pivot in a breach means the data scope almost certainly extends beyond what the primary platform disclosure captures.
ShinyHunters’ Track Record
ShinyHunters is one of the most prolific and high-impact data extortion groups in recent years. The group was responsible for the Ticketmaster breach in 2024, claiming 560 million records — one of the largest consumer data thefts ever disclosed. It has also breached AT&T, Santander Bank, and multiple other major enterprises. ShinyHunters typically publishes stolen data to its dark web marketplace after extortion attempts fail, meaning the Instructure data is likely already broadly accessible to other threat actors.
The group’s track record means this should be treated as a confirmed breach with full data exposure — not a precautionary alert — until contradicting information emerges.
What Educational Institutions Must Do After the Instructure Canvas Breach
For educational institutions using Canvas, the actionable steps are immediate:
Assume the data is exposed. The ShinyHunters publication indicates the data has been or will be distributed broadly. Institutions should proceed with breach notification obligations rather than waiting for additional verification.
Audit connected systems. The Salesforce pivot demonstrates that Instructure’s environment extended beyond Canvas itself. Institutions should audit what data flows from their Canvas deployment into other connected systems and whether those systems were also affected.
Prepare for targeted phishing. The stolen dataset — names, emails, student IDs, and internal messages — provides threat actors with the raw material for highly targeted phishing against students, parents, faculty, and staff. Enhanced email security and user awareness briefings are appropriate responses.
Engage legal counsel on notification obligations. The multi-jurisdictional exposure across K-12, higher education, and international institutions creates a complex compliance landscape. Each institution’s counsel should assess applicable notification timelines under FERPA, COPPA, GDPR, and applicable state breach notification laws.
Data stored at scale in centralized educational platforms represents a high-value, frequently under-secured target. This breach is unlikely to be the last of its kind.
