ShinyHunters, the prolific threat actor group behind breaches at Ticketmaster, Santander, and AT&T, has claimed responsibility for a massive breach of Instructure — the company behind Canvas LMS, the learning management system used by thousands of K-12 schools, colleges, and universities across the United States.
According to the group’s public announcement posted to a dark web forum, the breach exposes approximately 275 million records belonging to students and faculty. The stolen data reportedly includes names, email addresses, institutional affiliations, and potentially sensitive academic records.
What ShinyHunters Is Claiming
In a ransom notice that has circulated across cybersecurity communities, ShinyHunters states that Instructure was previously notified of the vulnerability and chose to silently apply security patches rather than engage with the group. The attackers are now threatening to release data for all affected institutions unless schools independently negotiate a settlement via TOX, an encrypted messaging platform.
The group has set a hard deadline of May 12, 2026. After that date, they claim all data will be released publicly. A list of affected schools has already been made available on their site, with an IP address and path listed in the announcement for those attempting to verify their institution’s inclusion.
Why This Is Serious
Canvas LMS is one of the most widely deployed learning platforms in the world, used by institutions ranging from small community colleges to major research universities. A breach of this scale would represent one of the largest education sector data exposures in history.
Student data carries unique risks. Unlike financial credentials that can be changed, personal identifiers tied to academic records — student IDs, enrollment history, institutional email addresses — can be leveraged for targeted phishing, identity fraud, and social engineering attacks for years after a breach occurs. For minors in K-12 environments, the exposure is especially concerning under laws like FERPA and COPPA.
What Institutions Should Do Right Now
- Verify exposure: Check the published affected schools list and confirm whether your institution is named. Do not access unofficial or third-party copies of the file — use verified sources only.
- Do not negotiate directly: Paying ransoms or engaging with threat actors individually creates additional legal and security risks. Consult with legal counsel and a qualified incident response firm first.
- Notify stakeholders: If your institution is affected, begin internal incident response procedures and evaluate your notification obligations under applicable state breach laws and FERPA.
- Harden your environment: Audit third-party integrations with Canvas, rotate API keys and service credentials, and review access logs for anomalous activity.
- Engage a cyber advisory firm: As ShinyHunters itself notes in the ransom notice, affected institutions should consult with professionals. Nebulara Tech specializes in exactly this type of incident response and advisory work.
The Broader Pattern
ShinyHunters has a consistent track record of targeting large platforms with centralized user data, exfiltrating records at scale, and then applying financial pressure through public disclosure. Their approach with Instructure follows the same playbook used against Ticketmaster in 2024 — breach silently, wait for a patch attempt, then go public with a countdown.
The education sector has historically been underfunded when it comes to cybersecurity infrastructure. Many institutions rely heavily on third-party vendors like Instructure for student data management without the internal security resources to monitor for threats at the vendor level. This breach is a wake-up call for every institution that outsources critical student data to cloud platforms.
How Nebulara Tech Can Help
If your institution or organization is navigating this breach — or wants to proactively assess your exposure to third-party platform risks — Nebulara Tech offers incident advisory, threat assessment, and data exposure analysis services tailored for education and enterprise environments.
Contact us to speak with our team. The May 12 deadline is approaching fast.