Canvas data breach overview:
- Who: Education technology company Instructure disclosed a data breach involving its Canvas learning platform.
- Why: Extortion group ShinyHunters claimed responsibility for the cyberattack.
- Where: The data breach reportedly affected students, teachers and others at nearly 9,000 educational institutions worldwide.
Instructure disclosed a data breach involving its Canvas learning platform in late April.
Instructure, the parent company of Canvas, announced the data breach on April 30 and confirmed the following day that cybercriminals were responsible, according to SecurityWeek.
The company stated that it had retained outside forensic experts to investigate the data breach.
“We are working quickly to understand the extent of the incident and actively taking steps to minimize its impact,” the company said, as reported by SecurityWeek.
Instructure announced on May 2 that the data breach had been contained and that it had reissued certain application keys, requiring users to reauthorize access to tools.
Instructure also revoked privileged credentials and access tokens, deployed fixes to improve security and implemented additional monitoring.
Extortion group ShinyHunters takes responsibility for data breach
According to SecurityWeek, ShinyHunters claimed it had stolen the information of 275 million students, teachers and others at close to 9,000 educational institutions around the world. The group also claimed Instructure’s Salesforce instance was compromised in the data breach.
Instructure said the data breach exposed personal information, such as names, email addresses and student ID numbers, as well as user messages.
The company said, however, that it had found no evidence that any passwords, dates of birth, government identifiers or financial information were “involved,” reports SecurityWeek.
ShinyHunters added Instructure to its Tor-based leak site on May 3 while claiming 3.65 terabytes of data had been stolen.
Instructure, in an incident fact sheet published on May 13, said Canvas was “fully back and available for use” as of May 9. The company also revealed that “the same threat actor” had gained additional access through a second “vulnerability.”
The company added it detected and disabled the second attack “approximately 10 minutes after it began.”
In another cybersecurity incident, a consumer filed a class action lawsuit alleging DocketWise failed to properly secure the personal information of more than 116,000 consumers in a data breach that occurred in 2025.
Were you affected by the Canvas data breach? Let us know in the comments.
Don’t Miss Out!
Check out our list of Class Action Lawsuits and Class Action Settlements you may qualify to join!
Read About More Class Action Lawsuits & Class Action Settlements:
One thought on Canvas data breach may have exposed millions of student and teacher records worldwide
Add me I currently teach adjunct & it affected my courses