Instructure Data Breach: ShinyHunters Claim 4.5M Records Stolen

Instructure, the educational technology company behind the popular Canvas learning‑management system, confirmed on March 5 2026 that unauthorized actors had accessed its internal network and stolen a cache of user data. The breach was discovered when security monitoring tools flagged anomalous outbound traffic originating from a compromised administrator account. Forensic investigators later determined that the attackers had exfiltrated a database containing names, email addresses, hashed passwords, and organizational affiliations of faculty, students and staff.

The ShinyHunters extortion group promptly posted a sample of the stolen data on a Tor‑hosted leak site, asserting they possessed 4.5 million unique records and threatening to sell the full dataset unless a ransom was paid. This tactic aligns with ShinyHunters’ known playbook—previously linked to the exposure of data from Appen, Mathway and other firms—where they leverage public leak sites to pressure victims into compliance.

Investigators traced the initial foothold to a misconfigured API endpoint that allowed privilege escalation from a low‑privileged service account to an administrative one. The compromised admin account used a weak password and lacked multi‑factor authentication, enabling the attackers to move laterally within the environment. Over a 72‑hour window the threat actors harvested the data before Instructure’s incident‑response team isolated the affected systems.

Instructure has reset passwords for all impacted accounts, notified law‑enforcement agencies, and is providing complimentary credit‑monitoring services to affected users. The company urges all Canvas users to change their passwords immediately, enable MFA, and be vigilant for phishing attempts that may capitalise on the exposed contact information. The incident highlights the escalating risk of credential‑based attacks against EdTech platforms and underscores the necessity of hardening administrative interfaces against brute‑force and credential‑stuffing campaigns.