SHINYHUNTERS has claimed a second breach of Instructure, the vendor behind the Canvas LMS, hours after Instructure said the incident was over. The group says it breached on 25 April by exploiting exposed cloud infrastructure at a large, well-connected organisation to access and threaten to leak data, following an initial intrusion Instructure later described as contained.
Instructure has reported an ongoing security incident due to a follow-on compromise of Free-For-Teacher accounts, with the company noting it offline again on 7 May to contain the activity and later stating the service is fully back online. The attackers’ claims include theft of about 3.65TB of data, covering the names, emails and student IDs of around 275 million individuals from just under 9,000 institutions, plus “several billions of private messages” between students and teachers.
Public responses have shown dispute over whether the incident is fully contained, while ransom-related splash messages continued circulating through May 7. Instructure’s 8 May statement confirmed the Free-For-Teacher account vulnerability but did not detail its nature.