Class Dismissed? ShinyHunters Claims Massive Breach of 280 Million Records from Canvas LMS

Cybersecurity adversaries have asserted a monumental breach of one of the world’s preeminent pedagogical platforms, claiming the exfiltration of sensitive data belonging to hundreds of millions of students and educators. According to the syndicate known as ShinyHunters, approximately 280 million records—associated with 8,809 academic institutions and educational services—were purloined from the infrastructure of Instructure.

Instructure is primarily distinguished by its learning management system, Canvas, which is ubiquitously employed by schools, colleges, and universities to facilitate assignments, assessments, grading, and scholarly discourse. Following an initial disclosure regarding a cyberattack investigation last week, the corporation confirmed a data breach. The incursion permitted unauthorized access to usernames, electronic mail addresses, and private correspondence.

Responsibility for the assault was claimed by the ShinyHunters extortion group. The hackers contend that they harvested data pertaining to students, faculty, and administrative staff by leveraging Canvas’s intrinsic export utilities, specifically citing DAP queries, user reports, and application programming interfaces (APIs). The adversaries estimate the total volume of exfiltrated information to encompass hundreds of gigabytes.

Furthermore, the syndicate disseminated a manifest of organizations purportedly compromised in the leak, including various universities, school districts, and digital learning platforms. For each entity, an estimated volume of compromised records—ranging from tens of thousands to several millions—was provided. However, the specific identities of these institutions remain undisclosed, as the veracity of ShinyHunters’ assertions is currently undergoing independent verification.

In response, several academic institutions have commenced notifying their constituents of the potential ramifications. The University of Colorado Boulder observed that the breach impacted numerous educational establishments nationwide. Conversely, Rutgers University stated that while Canvas remains operational, there are currently no definitive indicators of a local campus compromise. Meanwhile, Tilburg University indicated that an investigation is ongoing to ascertain whether the personal data of its students and personnel has been compromised.