ShinyHunters Claims 275M Records in Canvas Breach

ShinyHunters claims it stole roughly 275 million records tied to students, teachers and staff from Instructure’s Canvas learning management system and provided a roster of 8,809 affected institutions. Instructure has confirmed a cyber incident and a subsequent data breach affecting its cloud-hosted environment.

The list of affected organizations includes school districts, colleges and online education platforms. The alleged per-institution record counts range from tens of thousands to several million, which would encompass a wide cross section of K–12 and higher education users if the claim is accurate.

Schools and security officials have pointed to the types of information that may be exposed in breaches of learning platforms. Potentially exposed data can include names, email addresses, student ID numbers and course enrollment information. Institutions and the vendor have been asked to notify affected students, families and staff with specific information about which data elements were involved.

Families and administrators are advised to verify any breach notifications before taking action. Authentic notices typically come from a district or institution contact or from Instructure’s official channels. Recipients should confirm messages through a school website or a known phone number rather than responding to unexpected emails or texts.

Security measures recommended after the disclosure include changing passwords for Canvas and related accounts, avoiding password reuse across school email and other services, and enabling multi-factor authentication where available. Using a password manager can help create and store strong, unique passwords. Caregivers may want to manage account credentials directly for younger students.

If exposed records include national ID numbers or Social Security numbers in places where those are collected, families should ask both the school and Instructure what protections will be provided, such as credit monitoring or identity restoration services. Where permitted, a credit freeze or similar block can be placed on a minor’s file to help prevent new accounts from being opened in the child’s name.

Security officials warn that data taken from education platforms is often reused to craft phishing and scam messages that reference real schools, teachers or courses. Recipients should avoid clicking links in suspect messages and instead open a browser and log in to the official site or app to check for communications.

Instructure has acknowledged the incident and said it will provide updates as the investigation continues. Affected institutions are expected to issue more detailed notifications identifying exposed records and any remediation services that will be offered to impacted students, staff and families.