A criminal extortion group claims to have stolen 275 million records from Instructure, the company behind the widely used Canvas platform.
WASHINGTON — A cybersecurity attack on the nation’s most widely used classroom software has potentially exposed the personal data of millions of students and educators across the country.
Instructure, the company that runs the Canvas learning management system used by more than 7,000 universities, K-12 districts and education ministries worldwide, disclosed the breach to affected institutions this week. The company confirmed names, email addresses, student ID numbers and private messages between users had been accessed before the breach was contained.
Canvas is used by 41% of higher education institutions across North America to deliver courses. Millions of K-12 students rely on it as well. In North Carolina alone, the state Department of Public Instruction has used Canvas across all public K-12 schools since 2015.
The criminal extortion group ShinyHunters claimed responsibility for the attack. On a dark web leak site, the group alleged it had stolen more than 3.65 terabytes of data and threatened to release it unless its demands were met. The group said it stole roughly 275 million records tied to students, teachers and staff, and shared a list of 8,809 school districts, universities and online education platforms it claims were affected.
ShinyHunters warned that a failure to pay could result in the release of “several billions of private messages among students and teachers.” A ransom message on the platform appears to give Infrastructure until May 12 to respond before the hackers leak information.
The company stated that the affected data might have included full names, email addresses, student ID numbers and messages, but that there is no evidence passwords, dates of birth, government identifiers or financial information were exposed.
The sensitivity of Canvas messages compounds the concern. The platform is used by students to disclose medical and mental health information to academic advisers, to request accommodations and to communicate with Title IX advocates.
Notably, this is Instructure’s second confirmed breach in approximately eight months. In September 2025, the same ShinyHunters group exploited a social engineering attack against the company’s Salesforce environment.
Officials across the country are advising students, parents and staff to be cautious of unsolicited emails or messages that appear to come from Canvas, particularly those requesting personal information or password resets. Monitoring accounts for unusual activity is also encouraged.
Instructure said it has engaged outside forensic cybersecurity experts and law enforcement. The investigation is ongoing, and the full scope of the breach has not yet been determined.