**Instructure**, the company behind the popular **Canvas** learning management system (LMS), is facing a major cybersecurity incident. A recent breach has reportedly exposed the data of millions of students and staff across numerous educational institutions. ### Breach Details Last Friday, **Instructure** disclosed they were investigating a cyberattack, which later confirmed to be a data breach. User names, email addresses, and private messages were potentially exposed. The **ShinyHunters** extortion gang has claimed responsibility for the attack, asserting that they exfiltrated 280 million records belonging to students, teachers, and staff. This data allegedly originates from 8,809 colleges, school districts, and online education platforms that utilize **Canvas**.  *Instructure listing on ShinyHunters data leak site* **ShinyHunters** has published a list of educational institutions purportedly affected, along with record counts for each. These counts range from tens of thousands to several million per institution. BleepingComputer has chosen not to publish the list of impacted institutions due to the lack of independent verification. The threat actors claim to have leveraged **Canvas** data export features, including DAP queries, provisioning reports, and user APIs, to harvest hundreds of gigabytes of user records, messages, and enrollment data. ### Institutional Response While **Instructure** has not yet responded to requests for comment, some universities have begun issuing statements regarding the potential impact: * The **University of Colorado Boulder** warned of a nationwide data breach affecting multiple institutions using **Canvas**. * **Rutgers** stated that they have not been notified of any direct impact to their campus and that **Canvas** remains operational. * **Tilburg University** is investigating the incident and attempting to determine the extent of the impact on their students and staff. BleepingComputer has reached out to **Instructure** for further information and will update this story as more details become available. ## 99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming. At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. Claim Your Spot