Instructure Breach: Hacker Claims 280M Records from 8,800 Schools

Education technology provider Instructure has disclosed a significant data breach after a threat actor operating under the alias 'CSAMKing' claimed to have stolen approximately 280 million records containing sensitive student and staff information from 8,809 educational institutions worldwide. The compromised data reportedly includes full names, email addresses, phone numbers, and other personally identifiable information (PII) associated with Instructure's Canvas learning management system. Instructure, which powers popular platforms including Canvas LMS and other educational tools used by K-12 school districts and higher education institutions, confirmed the incident and stated they are actively investigating the unauthorized access. The breach affects institutions across the United States, Canada, and other regions where Canvas is deployed as a primary learning platform.

Security researchers analyzing the stolen data claim the information was exfiltrated from exposed application programming interfaces (APIs) and includes detailed user profiles for students, educators, and administrative staff. The threat actor reportedly attempted to sell the database on criminal forums, with offers ranging from tens of thousands to over $200,000 depending on the dataset's completeness and regional coverage. Cybersecurity firm Hudson Rock first identified the breach after monitoring dark web activity, noting that the compromised records date back several years and may include historical enrollment data from multiple academic terms.

Instructure has notified affected institutions and is coordinating with federal law enforcement agencies, including the FBI and the U.S. Department of Education's Office of Cyber Investigations. The company is urging all users to reset passwords and enable multi-factor authentication (MFA) immediately. Educational institutions are advised to audit user accounts, monitor for suspicious login activity, and implement enhanced email filtering to protect against targeted phishing campaigns that may leverage the stolen PII. The breach has raised concerns about the security practices of educational technology vendors and the adequacy of data protection measures for minors' sensitive information under COPPA and FERPA regulations.

Security experts recommend that organizations affected by the Instructure breach treat all associated credentials as compromised and implement zero-trust network principles. Affected users should be vigilant for social engineering attacks, credential stuffing attempts, and fraudulent communications purporting to be from educational institutions. The incident underscores the growing risk posed by supply chain attacks targeting third-party ed-tech providers, which maintain vast repositories of sensitive data on students and faculty members.