Instructure, an education technology company that offers the popular Canvas learning platform, is the latest victim of the prolific ShinyHunters extortion group, which is claiming responsibility for an attack that exposed terabytes of sensitive data and disrupted services over the weekend.

The Salt Lake City-based company late last week said in a notice that some users were “experiencing limited disruption to tools relying on API keys” and that it was investigating the problem.

Instructure brought in outside experts to help with the investigation, which CISO Steve Proud wrote May 3 uncovered that some of the information exposed belonged to users at various institutions and included names, email addresses, and student ID numbers, as well as messages between users.

“At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved,” Proud wrote.

The steps Instructure took after learning of the intrusion included revoking privileged credentials and access tokens associated with affected systems, deploying patches, rotating certain keys “even though there is no evidence they were misused” and implementing increased monitoring across all platforms.

Service is Back Up, but Data Exposed

In updates over the weekend, Instructure officials wrote that their Canvas Data 2 – a service that delivers streamlined and bulk access to low-latency data to customers and partners, enabling data warehouses and learning analytics – and Canvas Beta were both unavailable while the company fixed the problem.

On May 2, Instructure reissued some application keys, a precautionary move to protect users who needed to use them to get authorized access to its tools. The reissued application keys were timestamped, with the timestamps visible to users during the re-authorization process.

Access to Canvas Data 2 was restored on May 3, though Canvas Beta and Test were still unavailable.

ShinyHunters Takes Responsibility

The same day, ShinyHunters added Instructure to its Tor-based leak site. The extortion group said it had stolen 3.65 terabytes of data belonging to 275 million students, teachers, and other people. Almost 9,000 institutions – including schools, universities, and other organizations – around the world use Instructure services and products, which include Mastery for assessments and Parchment for records and credentials.

According to the threat group, the data includes “several billion private messages among students and teachers and students and other students involved.” ShinyHunters, in its demand for payment from Instructure, also claimed that it had compromised the company’s Salesforce instance.

BleepingComputer reported that ShinyHunters claims the data takes includes more than 240 million records linked to students, teachers, and staff and that the data comes from almost 15,000 institutions hosted across a range of regions, including North America, Europe, and Asia-Pacific.

Education is an Attractive Target

This weekend represents the second time in less than a year that Instructure was attacked by ShinyHunters. The company’s systems were breached in September 2025, with the company at the time saying the incident was largely confined to publicly available business information being exposed. The extortion group claimed credit for that attack, saying it used social engineering tactics to get into Instructure’s Salesforce instance.

The targeting of Instructure, as well as other high-profile incidents like the hack of PowerSchool – the largest education software provider in the United States, disclosed in January 2025 – that exposed the data of K-12 teachers and students, highlight the ongoing cyberthreats to education systems and organizations.

In a report in March, Kaspersky Lab researchers noted the change in ransomware targeting over the past several years, pointing out that before the primary goal of groups was to encrypt data and then extort a ransom, which meant bad actors were mostly targeting commercial enterprises that valued their data enough to pay a large ransom.

“But times have changed, and so has the ransomware groups’ business model,” the researchers wrote. “The focus has shifted from payment for decryption, to extortion in exchange for non-disclosure of stolen data. Now, the ‘incentive’ to pay isn’t just about restoring the company’s normal operations, but rather avoiding regulatory trouble, potential lawsuits, and reputational damage. And it’s this shift that’s put educational institutions in the crosshairs.”