Instructure, the Salt Lake City-based operator of the Canvas learning management system (LMS), confirmed a data breach exposing user personal information on May 1, with the extortion group ShinyHunters taking responsibility two days later.
📢⚠️ #ShinyHunters has claimed responsibility for major breaches affecting Instructure Canvas LMS and Vimeo, exposing millions of records through direct and supply chain attacks.
Read: https://t.co/kNFy02FfXu#CyberSecurity #DataBreach #CanvasLMS #Vimeo #Instructure
— Hackread.com (@HackRead) May 6, 2026
The company first reported a service disruption on April 30. Instructure said it patched affected systems, revoked compromised credentials, and rotated API keys “out of an abundance of caution.” The company engaged third-party forensics experts and law enforcement and said it believed the intrusion had been contained by May 2.
Confirmed compromised data includes users’ names, email addresses, student ID numbers, and private messages. Instructure said passwords, government identifiers, birth dates, and financial data were not affected.
On its dark web extortion site, ShinyHunters said the breach affected approximately 275 million users across nearly 9,000 institutions globally. As of May 5, the group revised the figure to 280 million records tied to 8,809 institutions.
A ShinyHunters member told TechCrunch the stolen data contains 231 million unique email addresses. Named institutions on the group’s published victim list include Harvard, Stanford, and Columbia universities, as well as Apple. These figures have not been independently verified.
ShinyHunters — the group that hacked @PennGSE last fall — tells me they acquired over 300,000 lines of data from Penn users in their recent Instructure breach.
The hackers claim the incident affected nearly 9,000 institutions, including all 8 Ivy Leagues.
More TK in @DailyPenn
— Jasmine Ni (@jasmineni_) May 6, 2026
ShinyHunters said the attack exploited a Salesforce Experience Cloud misconfiguration, the same method the group has used against hundreds of organizations since at least March 2026. Salesforce warned its customers in March about active exploitation of misconfigured Experience Cloud instances, with attackers using a modified version of AuraInspector, an open-source auditing tool developed by Mandiant.
This is Instructure’s second disclosed security incident in eight months. The company lists more than 8,000 institutions as customers worldwide.
ShinyHunters has separately announced breaches of Rockstar Games, Medtronic, Udemy, Zara, and 7-Eleven in 2026.
