ShinyHunters Claims Second Instructure Breach: 300M+ Users Exposed

ShinyHunters, the notorious threat group behind a string of high‑profile data thefts, announced on March 5 that it had executed a second intrusion into Instructure, the education‑technology firm that hosts the Canvas learning‑management system. According to the group’s post on a dark‑web forum, the attack exploited an unpatched API endpoint that allowed unauthenticated access to internal administrative functions. The vulnerability, later identified as CVE‑2023‑48795, bypassed multi‑factor authentication and gave the attackers a foothold in the company’s production environment.

The compromised infrastructure contained a replica of Instructure’s primary user database, which the company confirmed includes more than 300 million records. Exposed data comprises full names, email addresses, phone numbers, and hashed passwords (SHA‑256 with salt). In addition, the dump includes OAuth tokens, API keys for third‑party integrations, and session cookies that could be used to impersonate legitimate users in connected services. Security researchers who examined a sample of the leaked data report that the records appear authentic, with timestamps dating to early 2024.

Instructure acknowledged the breach in a statement on March 6, saying it had retained a leading digital‑forensics firm, disabled the affected API, and rotated all compromised credentials. The company has also patched CVE‑2023‑48795, hardened its OAuth flows, and is working with federal law‑enforcement agencies. Instructure is urging all Canvas users to reset passwords immediately, enable MFA if not already active, and monitor accounts for unusual activity. The sheer volume of PII raises concerns about a surge in credential‑stuffing attacks, targeted phishing, and potential identity‑theft schemes.

Industry analysts note that ShinyHunters typically monetizes such breaches by selling datasets on underground markets, and the latest leak could soon appear on known Tor‑based marketplaces. The incident underscores the growing risk of API‑based attack surfaces in cloud‑first platforms and highlights the need for continuous penetration testing, rigorous supply‑chain audits, and strict credential‑rotation policies to mitigate the impact of similar breaches.