ShinyHunters has breached Instructure's Canvas LMS, claiming to have accessed data from 275 million users and 3.65TB of student information from 9,000 educational institutions, including 44 in the Netherlands.

      TL;DR: ShinyHunters breached Instructure’s Canvas learning management system, claiming to have stolen 3.65 terabytes of data affecting 275 million users from 9,000 institutions globally, including private messages between students and educators. Forty-four Dutch universities and schools are confirmed to be impacted, and this incident, the second at Instructure in eight months, highlights the systemic risk associated with vendor concentration in educational technology.

      The largest education data breach ever recorded did not target a school, but rather a vendor. On April 30, hackers took advantage of a vulnerability within Instructure's systems, the company behind Canvas, which is used by 41% of higher education institutions in North America.

      The cybercriminal group ShinyHunters, known for the Snowflake supply chain attacks that affected Ticketmaster and AT&T, claims to have compromised 3.65 terabytes of data involving 275 million users across nearly 9,000 educational institutions worldwide, which includes private correspondence among students, teachers, and staff.

      In the Netherlands, 44 educational institutions have been confirmed as affected, including the University of Amsterdam and Vrije Universiteit, with the authorities advising vigilance among students and staff. The attackers have threatened to make the data public unless Instructure pays up by May 8.

      This breach reveals a fundamental risk in the digitization of education: the schools involved did not choose to be targeted and could not have prevented it, as the decision to store student data with a single vendor was made years ago, beyond their control.

      The Company

      Instructure, established in 2008, developed Canvas into a leading learning management platform in the U.S., surpassing Blackboard and securing 31% of the North American higher education LMS market by 2018. The company went public in 2015, was acquired by Thoma Bravo in a $2 billion deal in 2020, and sold again to KKR and Dragoneer Investment Group in November 2024 for $4.8 billion.

      Now functioning as a private entity owned by a major alternative asset management firm, Instructure serves around 200 million learners across 100+ countries. Its offerings include Canvas LMS, Canvas Studio for video learning, and Mastery Assessment for tracking competencies. The platform is integral to academic routines, managing course materials, assignment submissions, grades, and notably, direct messaging between students and educators.

      This incident marks Instructure’s second confirmed breach within about eight months. In September 2025, ShinyHunters conducted a social engineering attack against the company's Salesforce environment. The April 2026 breach exploited a flaw in Instructure's production systems, which the company claims has now been addressed. On May 1, Instructure’s Chief Information Security Officer Steve Proud informed customers of a cybersecurity incident, noting that the exposed data might include names, email addresses, student identification numbers, as well as messages from Canvas Inbox and Discussion.

      The company reported no indication that sensitive personal information such as dates of birth, government identifiers, financial details, or passwords were compromised. However, the inclusion of private messages, which could reveal phone numbers, home addresses, and personal data shared in trust, renders this breach qualitatively different from a typical data leak.

      The Attackers

      ShinyHunters is a criminal hacking and extortion group active since 2020, becoming one of the world's most prolific data thieves. The group, believed to consist of a small number of core members based in Canada and France, focuses on companies servicing multiple organizations, enabling a single breach to affect thousands of victims.

      In 2024, ShinyHunters carried out the Snowflake supply chain campaign that breached around 165 organizations, including Ticketmaster, where 560 million records were exposed, and AT&T, which lost data on 110 million customers. AT&T paid a ransom of $370,000 to delete the stolen data. In March 2026, the group also breached the European Commission, leaking 350 gigabytes of data from 42 internal clients and nearly 29 EU entities. Their consistent method involves identifying a vendor with access to vast data, exploiting a vulnerability or using social engineering, extracting the data, and threatening public release unless payment is made.

      The breach of Instructure follows this exact pattern. On May 2, ShinyHunters posted their claim on a dark web forum, enumerating 8,809 educational institutions with specific record counts per entity. They warned Instructure to “make the right decision” by May 6, later extended to May 8, or face the release of the complete dataset along with “several annoying digital problems.” The attackers assert they possess billions of private messages.

      The cybersecurity industry anticipated that 2026 would mark the era of governed security AI, with automated threat detection and response systems reaching maturity. The Instructure breach indicates that there is a significant gap in governance between enterprise security measures and the capabilities of attackers, with the most vulnerable organizations being those not