ScruteX logo ScruteX
Instructure Canvas LMS ShinyHunters education sector supply chain breach Salesforce Australia QLearn
22 views

Instructure Canvas LMS Breach: 275 Million Students and Staff Exposed by ShinyHunters

By ScruteX Team Published Updated
On 1 May 2026, Instructure, the US ed-tech firm behind the Canvas learning management system, disclosed a cyber incident perpetrated by a "criminal threat actor." Three days later, the extortion crew ShinyHunters claimed responsibility, alleging it had exfiltrated 3.65 terabytes of data belonging to 275 million students, teachers and staff across 9,000 institutions worldwide. The group also claims it breached Instructure's Salesforce instance, the second time it has done so in under nine months.
By 7 May, governments in Australia, the United States and Europe were scrambling to assess the blast radius. Queensland's Education Department confirmed that every student and teacher in its state schools since 2020, the year QLearn (powered by Canvas) went live, has been caught up in the incident. Tasmania's DECYP, TasTAFE, and at least six Australian universities are also affected. In the US, the University of Colorado Boulder and Rutgers have issued notifications. Tilburg University in the Netherlands is investigating impact.
This advisory breaks down what is known, how the breach likely occurred, who is exposed, and what defenders, schools and parents should do in the next 72 hours.
Download the ScruteX advisory on LinkedIn: https://www.linkedin.com/posts/scrutex-advisory-instructure-canvas-breachpdf-ugcPost-7458132571059539968-3kYe

Executive Summary

A criminal threat actor, almost certainly ShinyHunters, accessed Instructure systems supporting the Canvas LMS and exfiltrated identifying information for users at affected institutions. According to Instructure, exposed data includes names, email addresses, student ID numbers and messages between users. The company says it has found no evidence that passwords, dates of birth, government identifiers or financial information were involved. ShinyHunters disputes the scope and is threatening to leak the full dataset, including a list of every affected school, after extortion deadlines passed on 6 and 7 May 2026.
Field Detail
Vendor Instructure Holdings, Inc.
Product Canvas LMS, plus connected Salesforce instance
Disclosure 1 May 2026 (Instructure status page)
Claim 3 May 2026 (ShinyHunters darknet leak site)
Volume 3.65 TB+ uncompressed (claimed)
Records 275M individuals across ~9,000 institutions (claimed)
Confirmed data types Names, emails, student IDs, school/location, user-to-user messages
Actor ShinyHunters (high confidence)
Status Contained per Instructure; leak threat active

Updates

Date Update
1 May 2026 Instructure publishes initial status page notice; brings in outside forensics.
3 May 2026 ShinyHunters posts the victim entry on its darknet site, claims 275M individuals and 3.65TB.
5 May 2026 A second listing appears: "Entire list of affected schools by Instructure breach," with a 7 May leak deadline.
6 May 2026 Australian National Office of Cyber Security (Michelle McGuinness) confirms it is coordinating the federal response.
7 May 2026 Queensland Education Minister John-Paul Langbroek confirms QLearn impact since 2020. NSW DoE, TasTAFE and multiple universities issue statements. Instructure says the incident is "contained."

Who Is Impacted

ShinyHunters' claim of 9,000 institutions is consistent with Instructure's own public client count, which makes the geographic spread effectively global. Confirmed or self-disclosed impact so far:
Australia
  • Queensland state schools (every student/teacher since 2020 via QLearn). The state government estimates "tens of thousands" affected, against a base of more than 560,000 enrolled students as of February 2026.
  • Tasmania's Department for Education, Children and Young People (DECYP) and TasTAFE.
  • New South Wales Department of Education (impact assessment ongoing).
  • Universities: Melbourne, Sydney, UTS, Western Sydney, Newcastle, Flinders.
United States
  • University of Colorado Boulder, Rutgers University, and an unconfirmed list of K-12 districts. The threat actor's separate "list of affected schools" file is the leverage being used to pressure Instructure.
Europe
  • Tilburg University (Netherlands) is investigating.
The unifying feature is that all of these institutions trusted Instructure with identity and behavioural data on minors, in many cases for years.

What We Know: Timeline

  1. September 2025: ShinyHunters compromises Instructure's Salesforce environment as part of its broader Salesforce vishing campaign that hit dozens of enterprises through the second half of 2025.
  2. Late April 2026: Instructure detects suspicious activity on systems supporting Canvas. External forensics is engaged.
  3. 1 May 2026: Public disclosure via status page. CSO Steve Proud confirms the incident, says investigation is active.
  4. 3 May 2026: ShinyHunters posts to its leak site claiming Canvas, Salesforce, and "billions of private messages among students and teachers." Pay-or-leak ultimatum issued, deadline 6 May.
  5. 5 May 2026: Second leak-site post threatens to publish the full list of affected institutions on 7 May.
  6. 7 May 2026: Instructure declares the incident "contained" but confirms exposure of names, email addresses, student IDs and inter-user messages. ShinyHunters' deadlines have lapsed; data has not yet been published as of writing.

Attack Chain Analysis

Instructure has not published technical detail. Based on ShinyHunters' established TTPs and the September 2025 Instructure incident, our working hypothesis (medium-to-high confidence) is the following chain:
  1. Initial access via SaaS identity abuse. ShinyHunters' 2024 to 2026 campaign has consistently leveraged voice-phishing of helpdesk staff, OAuth token theft, and abuse of connected apps in Salesforce and Workday tenants. The September 2025 Salesforce compromise of Instructure was the likely foothold.
  2. Lateral movement into the Canvas data plane. Salesforce typically holds CRM data on schools, contacts and contracts. Pivoting from there into production Canvas data would require either reused admin credentials, an over-permissioned integration, or a connected internal application. ShinyHunters is known for exploiting all three.
  3. Bulk exfiltration. A 3.65 TB dataset is consistent with a long, low-and-slow extraction window rather than a single smash-and-grab, again matching the group's pattern of staying resident for weeks or months before extortion.
  4. MITRE ATT&CK mapping (preliminary): T1566 (Phishing), T1528 (Steal Application Access Token), T1078.004 (Valid Cloud Accounts), T1213 (Data from Information Repositories), T1567 (Exfiltration Over Web Service).
The defining detail is repetition. The same actor compromised the same vendor twice in eight months. That pattern implies the September 2025 root cause was not fully remediated, or that the lateral path between Instructure's Salesforce tenant and its Canvas estate was never properly segmented.

Why It Matters

Most breach analysis focuses on credential value. This one is different.
Children's identity data has a 10 to 15 year compromise tail. Most minors will not check credit reports, will not enable MFA on personal email for years, and will not learn that their student ID, school location and email were stolen until they are old enough for synthetic identity fraud to be profitable. Threat actors routinely warehouse paedo-targeting data, harvested by combining school location with names and ages, for grooming and sextortion campaigns; Australian authorities have already called out this specific risk for families with known domestic-violence flags.
Inter-user messages are the real prize. Names and emails are commodity data. The "billions of private messages between students and teachers" cited by ShinyHunters are not. That corpus is gold for highly targeted phishing, impersonation and social-engineering campaigns aimed at parents, school staff and minors themselves, in many cases pretending to be a known teacher or classmate.
Education is now a Tier 1 target sector. Combined with the MOVEit, PowerSchool and Snowflake-adjacent education incidents of the past 18 months, the message is clear: ed-tech vendors hold richer cradle-to-career identity datasets than most banks, and they are protected with materially less rigour.

Recommendations

For affected institutions (act in next 72 hours)

  1. Force a full Canvas password reset and OAuth token rotation for staff and students, even though Instructure says credentials are not impacted. The cost is low and the precedent for "we found no evidence" being revised upward is high.
  2. Audit every third-party app connected to Canvas and Salesforce. Revoke anything that does not have an active business owner. Re-permission with least-privilege.
  3. Stand up a phishing watch. Expect targeted lures impersonating Canvas, the school IT desk, and individual teachers. Pre-brief staff and parents this week, not next month.
  4. Notify families with safeguarding flags first. Queensland's Education Department has set the right precedent here. Domestic-violence and child-safety cases need direct, channelled notification before generic comms go out.
  5. Issue minor-specific identity guidance. Recommend credit freezes for any minor with a Social Security number, TFN or equivalent. Most parents do not know this is possible.

For CISOs at non-education organisations

  1. Audit your own Instructure / Canvas exposure if you use it for corporate training. Apply the same containment steps.
  2. Re-baseline your SaaS supply chain register. ShinyHunters' 2024 to 2026 campaign has now hit Snowflake customers, Salesforce customers, Workday customers and Instructure twice. The common factor is identity at the SaaS edge, not any single vendor.
  3. Validate that "vendor breach" is an explicit scenario in your incident response runbooks, with named comms owners, regulatory clocks and customer notification templates pre-drafted.

For parents and students

  1. Treat any email referencing your school, marks, fees or Canvas with extreme suspicion until further notice. Verify out-of-band.
  2. Reset Canvas, school email and any reused passwords. Enable MFA where the school permits it.
  3. Watch for password-reset emails you did not request; that is the earliest signal of credential-stuffing follow-on.

How Scrutex Detects This

Scrutex's Threat and Data Exposure modules track ShinyHunters' leak-site postings in near real time and correlate exposed identifiers (domains, employee emails, student handles) against the customer's monitored asset graph. Affected schools and universities can use the free tier to check whether their domain or supplier (Instructure included) is currently named on any monitored leak site, without onboarding effort. For TPRM teams, the Vendor Insights module flags repeat-victim suppliers like Instructure, where the September 2025 incident was already on record.

Key Takeaways

  • ShinyHunters claims 3.65 TB and 275 million records stolen from Instructure's Canvas LMS and Salesforce, affecting roughly 9,000 institutions globally.
  • Confirmed data: names, email addresses, student ID numbers, school locations, inter-user messages. Not confirmed: passwords, DOB, financial data, government IDs.
  • This is the second ShinyHunters compromise of Instructure in under nine months. Repeat victimisation indicates incomplete remediation of the September 2025 Salesforce intrusion.
  • Australian impact is broadest, with Queensland state schools (every student since 2020), Tasmania DECYP, TasTAFE and at least six universities confirmed or investigating.
  • The biggest medium-term risk is targeted phishing and grooming built on stolen private messages, not credential abuse.

Frequently Asked Questions

Was my child's password stolen?

Per Instructure as of 7 May 2026, no. The company states it has found no evidence that passwords, dates of birth, government identifiers or financial information were accessed. Reset the password anyway as a low-cost precaution.

How do I know if my school is affected?

If your school uses Canvas or QLearn (Queensland), assume exposure until your principal or admin tells you otherwise. Australian state and territory education departments, and individual universities, are issuing direct communications this week.

Will the data be leaked?

There is no public confirmation of payment. ShinyHunters' 6 and 7 May deadlines have lapsed without a full leak as of 7 May. That neither confirms nor rules out payment.

Will the data be leaked?

ShinyHunters has a high follow-through rate when extortion fails. Even if data is delayed or quietly settled, copies almost always surface on secondary forums within months. Plan accordingly.

Is this the same group that hit Snowflake customers?

Yes. ShinyHunters has been the common actor across the 2024 Snowflake-adjacent campaign, the 2025 Salesforce vishing wave, and now this. Their tradecraft centres on SaaS identity abuse rather than malware.

Read more

Back to all posts