ShinyHunters Breach Canvas LMS: 275 Million Students Exposed Across 8,800 Universities
ShinyHunters exploited free-teacher account provisioning to steal 3.65TB from Instructure's Canvas LMS, hitting 275 million users at 8,809 institutions. Instructure suffered a second breach just one day after believing the incident was contained — and ultimately paid the ransom.
ShinyHunters have breached Instructure’s Canvas LMS — the platform used by 8,809 universities, colleges, and government education ministries worldwide — stealing 3.65TB of data covering 275 million users. Student names, email addresses, IDs, course records, and private messages were all in the exfiltrated dataset. This is now the largest confirmed breach of an educational platform in history by record count.
The attack vector was deceptively simple. Attackers exploited Instructure’s free-for-teacher account provisioning process to gain an authenticated foothold, then escalated access to production data stores. Canvas serves as the primary learning management system for institutions including Cornell, Yale, the University of Colorado, and hundreds of K-12 districts globally. For many of those 275 million users, their entire academic record — grades, submission history, instructor communications — was on the table.
What was taken: names, institutional email addresses, student IDs, enrollment data, course content and submissions, direct messages between students and instructors. For institutions that integrated Canvas with SSO, session token data may also be implicated.
The Second Breach Changes Everything
Instructure believed it had contained the incident on May 6. The next day, ShinyHunters returned with a second intrusion and reset its ransom deadline to May 12. Instructure ultimately paid. The company has not disclosed the ransom amount.
A single breach is an incident. Being breached twice in 24 hours by the same threat actor signals that Instructure’s initial remediation was surface-level — credentials rotated without understanding the full scope of access the attacker had retained. The second intrusion gave ShinyHunters a clean second window because the first response never removed their foothold.
ShinyHunters is the same group responsible for the 2024 Snowflake wave of breaches (Ticketmaster, AT&T, Advance Auto Parts) and the 2025 Coinbase incident. Their playbook — exploit a low-privilege entry point, move laterally, establish persistent access, demand ransom before publishing — is consistent here.
What Institutions Should Do Now
- Audit all Canvas API integrations for abnormal access patterns from late April onward
- Force password resets and session invalidation for all affected accounts
- Review SSO tokens and OAuth grants provisioned through Canvas
- Alert students and faculty that private messages should be considered compromised
- For institutions with EU users: GDPR requires supervisory authority notification within 72 hours of discovery. The May 6 discovery date already put most institutions outside that window before the second breach was confirmed
The double-breach outcome raises a harder structural question: Instructure’s response to the first intrusion gave ShinyHunters a clean second window. Security teams should pressure every major SaaS vendor for evidence of full environment re-imaging — not just credential rotation — following any confirmed breach.
For institutions managing simultaneous FERPA and GDPR obligations, this is a reporting and legal liability nightmare. FERPA requires notification within a “reasonable time.” The compounding of two breach dates in 24 hours makes that reasonable-time argument significantly harder to make.