Educational technology company Instructure has confirmed a data breach affecting its systems, after the ShinyHunters cybercrime group claimed responsibility and threatened to leak stolen data.
The company, best known for its Canvas learning management system used by schools and universities worldwide, disclosed that attackers gained unauthorized access to internal systems and exfiltrated user data.
According to Instructure, the compromised information includes names, email addresses, and student ID numbers, along with user-generated content such as messages exchanged within the platform. The company stated that it has found no evidence that passwords, financial data, or government-issued identifiers were exposed.
The breach triggered service disruptions, prompting Instructure to revoke access tokens, disable affected systems, and deploy additional monitoring and security controls while investigating the incident.
The ShinyHunters group has claimed a significantly larger impact than what has been confirmed publicly. According to the attackers, data from up to 275 million individuals and nearly 9,000 educational institutions may have been accessed, including private communications between students and educators. These figures have not been independently verified.
The incident appears to be part of a broader campaign targeting cloud-based and SaaS platforms. Security analysts note that attacks attributed to ShinyHunters often rely on credential theft, social engineering, or token hijacking to gain access to enterprise systems rather than exploiting software vulnerabilities directly.
This is not the first time Instructure has faced a security incident. The company previously disclosed a breach linked to social engineering attacks in 2025, also associated with the same threat group, highlighting ongoing risks to platforms handling large volumes of educational data.
Experts warn that even limited datasets, such as names, emails, and internal communications, can be leveraged for phishing, impersonation, and targeted social engineering campaigns. The inclusion of message content further increases potential exposure by providing context that attackers can exploit.
The investigation remains ongoing, with Instructure continuing to assess the scope of the breach and monitor for any signs of data misuse or publication.