Instructure Breach Exposes Canvas LMS Vendor Risks for Schools

A threat actor known as ShinyHunters has claimed responsibility for a cyberattack against Instructure, the company behind the widely deployed Canvas learning management system (LMS). The group announced on a dark‑web forum that it had exfiltrated a 2.5 TB archive containing student records, instructor accounts, API tokens, and internal configuration files. Instructure confirmed the intrusion on March 4, 2025, after abnormal traffic was detected on an API endpoint used for bulk data exports.

Technical analysis by the company’s security team revealed that the attackers exploited a misconfigured export service that allowed unrestricted access to the internal object‑store. The vulnerable component, identified as CVE‑2025‑4821, failed to enforce proper authentication on a data‑retrieval API, enabling the adversaries to issue direct GET requests for JSON blobs containing PII, hashed passwords, and OAuth client secrets. ShinyHunters used a custom Python script to automate the extraction, moving the data through a staging server before exfiltration.

The breach highlights the deep dependence of K‑12 and higher‑education institutions on a single LMS vendor. With Canvas powering more than 30 million user accounts across 4,000 schools worldwide, the incident raises concerns over compliance with federal student‑privacy laws such as FERPA and state data‑protection statutes. Security researchers warn that the exposed API tokens could be abused to gain persistent access to integrated third‑party tools, potentially expanding the attack surface beyond Canvas itself.

Instructure responded by invalidating all compromised API keys, rotating OAuth credentials, and issuing a patch for the vulnerable export service. The company has engaged a third‑party incident‑response firm to conduct a forensic investigation and is working with law‑enforcement agencies. Education administrators are advised to audit their Canvas integrations, enforce multi‑factor authentication for all educator accounts, and monitor for unusual API activity as the investigation continues.