INSTRUCTURE , the maker of the Canvas learning management system, disclosed on May 1 a data breach in which a threat actor stole identifying information of users at affected institutions. The attack, claimed by ShinyHunters, involved exfiltrating about 3.65TB of data representing roughly 275 million users across 9,000 institutions.
Instructure temporarily took Canvas Data 2 and Canvas Beta offline for maintenance during the investigation, with Data 2 returning on May 3 and Beta on May 4; Canvas Test remained under maintenance. The disclosed data included names, emails, student ID numbers, and messages exchanged among users, but there is no evidence that passwords, dates of birth, government identifiers, or financial information were stolen.
Experts quoted by Dark Reading warned that School data protection obligations persist under FERPA despite the data’s residence in a platform the schools don’t control, and they urged institutions to review data retention policies and strengthen security practices such as MFA and vendor security assurances. The breach underlines the deep vendor dependence in education technology and the challenges for schools in migrating away from widely used platforms.