Key Takeaways
- Education technology firm Instructure was breached due to a “disruption to tools relying on API keys.”
- The company’s response includes revoking some credentials and access tokens while increasing monitoring and security.
- The ShinyHunters extortion gang says it is responsible, and that it has stolen 3.65 terabytes of data from almost 9,000 schools worldwide.
Education technology firm Instructure has confirmed a data breach due to a cyberattack, citing “disruption to tools relying on API keys” as the source of the breach.
The US-based company is most well-known for Canvas, a widely used learning management platform that tracks online coursework and assignments.
The ShinyHunters extortion gang has since claimed responsibility, listing the company on its data leak site while claiming to have data from “nearly 9,000 schools worldwide.”
How Did Instructure Handle It?
Instructure first acknowledged the incident on April 30th, saying that their “team is actively investigating and has taken precautionary steps to help maintain service stability while we work to restore full functionality.”
The next day, they issued a more detailed statement, including a list of steps they’ve taken to address the issue:
This just in! View
the top business tech deals for 2026 👨💻
- Revoked privileged credentials and access tokens associated with affected systems.
- Deployed patches to enhance system security.
- Out of an abundance of caution, rotated certain keys, even though there is no evidence they were misused.
- Implemented increased monitoring across all platforms.
What Data Was Leaked?
The company didn’t list the number of affected institutions, but it did name the type of data that they believe was breached, which includes:
- Names
- Email addresses
- Student ID numbers
- Messages among users
Not included? According to the company, it has “found no evidence that passwords, dates of birth, government identifiers, or financial information were involved. If that changes, we will notify any impacted institutions.”
What Does ShinyHunters Have to Say?
The extortion group called ShinyHunters claimed credit for the breach on May 3rd, adding Instructure to its Tor-based data leak site, SecurityWeek reports.
ShinyHunters has more specific claims surrounding the full scale of the breach. The group states that:
- 3.65 terabytes of data has been stolen.
- 275 million students, teachers, and other staff members impacted.
- “Several billions of private messages” stolen.
- Nearly 9,000 education institutions worldwide impacted.
- Instructure’s Salesforce instance is compromised as well.
It’s another example of a major data breach emerging from software vulnerabilities related to third-party apps — we’ve covered cloud hosting platform Vercel’s struggles with a similar issue several weeks ago, and studies show that one in four modern breaches exploit a third-party vulnerability.
