ShinyHunters breached Instructure last week and demanded payment or a data leak, according to a ransom message the group sent to the education software company. The hackers warned that if Instructure did not respond, they would publish stolen material tied to Canvas, the learning platform used by 41 percent of higher education institutions across North America.
The threat landed as Canvas users began reporting disruptions to their authentication keys late last week, raising fresh concern among campuses that rely on the platform for daily instruction and student records. Instructure said it has contained the attack, but ShinyHunters claimed the breach affected nearly 9,000 schools worldwide and compromised the personal identifying information of 275 million people, including students, teachers and staff.
The ransom message published by Ransomware.live was dated May 3 and included the line, “PAY OR LEAK.” ShinyHunters told Instructure to reach out by 6 May, and warned that the company could face a leak of “Several billions of private messages among students and teachers and students and other students involved, containing personal conversations and other [personal identifying information],” a threat aimed squarely at the private communications many schools now store on education platforms.
The breach fits a pattern that has become familiar across the sector. ShinyHunters has also been linked to recent data breaches at the University of Pennsylvania, Princeton and Harvard Universities, and it previously stole data from Ticketmaster, Google and several high-profile universities before the Instructure breach. Last fall, the group breached Salesforce and claimed theft of some one billion customer records across dozens of companies, including Instructure, and in March it infiltrated Infinite Campus before taking credit in April for accessing internal data at McGraw Hill.
Doug Thompson said the Instructure case shows how cybercriminals are shifting away from individual campuses and toward the companies that serve them. “This breach follows a clear pattern we’ve been watching for the last 18 months,” he said. “Instead of targeting individual campuses, attackers are moving up the data supply chain to the platforms that sit underneath thousands of institutions at once.”
That shift matters because Canvas is not just another school system. It is the nation’s most popular learning management system and is used by 8,000 partner institutions, giving a successful breach the reach of a mass exposure rather than a single-campus incident. Thompson said, “It’s the math of a bank robber who just figured out where the armored truck stops. Why hold up a hundred branches when the truck visits all of them? The real risk now is downstream,” adding that access to real names, email addresses and even teacher-student messages could make the next wave of phishing far more convincing. “With access to real names, email addresses and even teacher-student messages, the next wave of phishing will not be generic. It will reference real courses and real conversations, which makes it far more likely to succeed.”
The immediate question is no longer whether higher education is being targeted; it is how much damage these platform-level intrusions can do before schools can shut them down. Instructure says it has contained the attack, but ShinyHunters has already shown it is willing to turn education data into leverage, and Canvas users are now left to decide how much trust they can still place in the system that holds their classes, grades and messages.