Hackers Threaten to Leak 275 Million Records in Massive Canvas Platform Breach
Salt Lake City, Monday, 4 May 2026.
Instructure faces its second breach in a year as hackers threaten to leak 3.65 terabytes of Canvas platform data, potentially exposing personal records of 275 million global users.
Timeline of the Breach and Immediate Response
The cyberattack against Salt Lake City-based Instructure was initially disclosed on Thursday, April 30, 2026, when the company reported disruptions to tools relying on API keys [1]. By Friday, May 1, the education technology firm confirmed that cybercriminals had perpetrated the incident and that outside forensic experts had been retained to investigate [1][3]. Instructure’s Chief Information Security Officer, Steve Proud, announced on Saturday, May 2, that the breach had been contained [3]. To mitigate the fallout, the company revoked privileged credentials and access tokens, deployed security patches, and reissued certain application keys, which required end-users to reauthorize their access out of an abundance of caution [1][3].
The Extortion Threat and Stolen Data Scale
On Sunday, May 3, 2026, the notorious extortion group known as ShinyHunters claimed responsibility for the attack by listing Instructure on its Tor-based dark web leak site [1][2]. The threat actors allege they have stolen more than 3.65 terabytes of uncompressed data [1][2]. According to their claims, this massive dataset contains personally identifiable information belonging to 275 million students, teachers, and staff members across nearly 9,000 educational institutions worldwide [1][2]. ShinyHunters has issued a final warning to Instructure, demanding the company reach out by Wednesday, May 6, 2026, or face the public release of the stolen data [2].
Broader EdTech Context and System Restoration
By Sunday, May 3, Instructure had largely addressed the technical disruptions and restored access to its Canvas Data 2 platform [1]. Nevertheless, this incident underscores a growing, systemic vulnerability within the education technology sector, which has become a prime target for cybercriminals due to the vast amounts of personal data it aggregates [3]. In 2025, United States schools faced over 3,000 attempted cyberattacks per week, with more than half of surveyed K-12 respondents reporting an incident [2].