ShinyHunters claims 280M-record theft from Instructure Canvas across 8,800 institutions

The ShinyHunters extortion crew is taking credit for last week’s Instructure breach, claiming exfiltration of roughly 280 million records spanning students, teachers, and staff at 8,809 school districts, universities, and online education platforms running Canvas. Instructure has confirmed a cyberattack and acknowledged exposure of names, email addresses, and private messages, but has not commented on the scale alleged by the attackers.

The attackers say the data was harvested through legitimate Canvas data egress paths — DAP queries, provisioning reports, and user APIs — pulling hundreds of gigabytes of user records, messages, and enrollment data. That technique points at credential or token compromise on accounts with broad export privileges rather than a novel exploit, and explains how a single intrusion could fan out across thousands of tenants.

Downstream institutions are beginning to react asymmetrically: CU Boulder has flagged it as a nationwide event, while Rutgers and Tilburg University say they have not yet confirmed direct impact and are awaiting vendor clarification. The blast radius across K-12 and higher ed makes this a significant supply-chain incident for the education sector, with per-institution record counts ranging from tens of thousands into the millions.