Hackers Steal Student Data in Major Breach at Education Tech Giant Instructure

The education technology sector has been rocked by a significant security incident. Instructure, the company behind the widely used Canvas learning management system, has confirmed a data breach that exposed sensitive student information. The notorious hacking group ShinyHunters has taken credit for the attack, claiming to have accessed a trove of personal data.

What Was Stolen in the Instructure Data Breach?

According to the company’s official statement, the breach affected students’ private details. The hackers allegedly obtained names, personal email addresses, and messages exchanged between teachers and students. This matches the type of data Instructure admitted was compromised.

ShinyHunters shared a sample of the stolen information with TechCrunch, including records from two U.S. schools—one in Massachusetts and one in Tennessee. The Massachusetts data contained messages with names, email addresses, and some phone numbers. The Tennessee sample included full names and email addresses. Notably, passwords were not part of the leaked data, and Instructure confirmed that other sensitive data types remained unaffected.

ShinyHunters: The Group Behind the Attack

ShinyHunters has a track record of targeting universities and cloud database companies. This gang is financially motivated and often threatens to publish stolen data unless a ransom is paid. On its leak site, the group claimed the breach impacted nearly 9,000 schools worldwide and exposed data on 275 million individuals, including students, teachers, and staff. In an online chat, a ShinyHunters member told TechCrunch that the stolen data contained 231 million unique email addresses.

However, experts caution that such groups often exaggerate their claims to attract media attention and pressure victims. TechCrunch could not independently verify the full scope of the breach.

Impact on Schools and the Canvas Platform

Instructure’s Canvas platform is a cornerstone for many educational institutions, enabling course management, assignments, and communication. The breach raises serious concerns about the security of student data on such platforms. Schools using Canvas should review their security protocols and consider tips for protecting student information.

ShinyHunters also released a list of approximately 8,800 schools allegedly affected. While Instructure claims over 8,000 institutional customers, TechCrunch could not confirm whether all listed schools were affected or were even Instructure clients. The company’s spokesperson, Kate Holmes, declined to answer specific questions and directed inquiries to the company’s official update page.

Restoration Efforts and Ongoing Investigation

As of Tuesday, Instructure reported that some products, including Canvas, were restored for customers after undergoing maintenance. The company is continuing to investigate the breach and update its response. For those seeking more information, Instructure’s cybersecurity best practices for schools guide offers additional guidance.

This incident underscores the growing threat of cyberattacks on educational institutions. Schools must remain vigilant and implement robust security measures to safeguard sensitive data.