The cyber extortion group ShinyHunters has claimed responsibility for a massive cyberattack targeting Instructure, the company behind the Canvas learning management platform used by thousands of schools worldwide.
According to reports from Koran Manado, the hackers alleged they gained access to personal information belonging to nearly 275 million users connected to Canvas, including students and teachers across almost 9,000 educational institutions globally.
The reportedly stolen data includes names, email addresses, student ID numbers and billions of private messages exchanged through the platform.
What is ShinyHunters?
ShinyHunters is a well-known hacking and extortion group that has been linked to several major data breaches in recent years.
Cybersecurity researchers say the group often targets large organizations and third-party vendors before threatening to leak stolen information unless ransom demands are paid.
The group has previously been associated with attacks involving companies such as Salesforce, McGraw Hill and Infinite Campus.
In the latest incident, ShinyHunters reportedly issued a “pay or leak” ultimatum to Instructure with a May 6 deadline.
Instructure confirms attack
Instructure chief information security officer Steve Proud confirmed the company had experienced a breach involving what he called a “criminal threat actor.”
“While we continue actively investigating, thus far, indications are that the information involved consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers,” Proud said in a status update.
Why experts are concerned
Cybersecurity experts say the attack points to a growing trend in which hackers target third-party education vendors instead of individual schools, allowing them to potentially compromise thousands of institutions at once.
The breach has particularly impacted Utah, where most K-12 schools use Canvas.
Katy Challis said the risk of direct identity fraud appears low for now, but warned the leaked information could later be used for phishing scams or social engineering attacks.
Authorities are continuing to investigate the full scope of the breach.
