ShinyHunters has claimed an attack on Canvas, an education platform used by millions worldwide. The attackers are threatening to leak billions of private messages and user records unless their demands are met.
On a dark web leak site, ShinyHunters claims to have stolen more than 3.65TB of data tied to the company, best known as the developer of Canvas learning management systems (LMS), one of the most widely used learning platforms in the world.
ShinyHunters listed Instructure Holdings on its leak site on May 3rd, calling it a “final warning” before the data would be leaked. The attackers gave the company until May 6th to reach out.
According to ShinyHunters’ post, the breach could affect up to 275 million individuals, including students, teachers, and institutional staff.
The group also alleges it has obtained “several billion” private messages exchanged within the platform, potentially exposing sensitive conversations between students, educators, and administrators.
“Your Salesforce instance was also breached, and a lot more data is involved. Pay or Leak,” the attackers threatened.
ShinyHunters has not yet provided a data sample to back up its claims. If the scope of the breach is confirmed, it would place the incident among the largest education-related data thefts ever reported.
What data was exfiltrated?
- Full names and student IDs
- Institutional or personal email addresses
- Internal communications and messages
The company says the attack has been contained
In a press release, the company stated that attackers may have viewed or exfiltrated certain user-identifying information, including full names, email addresses, student ID numbers, and messages.
The learning management systems developer says there’s no evidence that passwords, dates of birth, government identifiers, or financial information were exposed.
On Saturday, the company claimed that the incident had been contained. Cybernews has reached out to the company to confirm whether the attack's scope matches the attackers' claims. A response is yet to be received.
Implications for millions of students
Since its founding in 2008, Instructure Holdings has grown into a central pillar of digital education infrastructure and dominates large segments of the North American LMS market.
Data exposure might affect millions of users. Canvas LMS is Instructure Holdings flagship product. Approximately 4,000 institutions worldwide, including universities, schools, and corporate organizations, use Canvas LMS. The iOS student app alone has over 2 million ratings.
Following a $4.8 billion acquisition by KKR and Dragoneer Investment Group in 2024, the company now operates privately with a global footprint spanning more than 100 countries.
What risks do students face?
Cybernews researchers warn that, even if the attackers’ numbers are inflated, the platform's nature means the data's potential sensitivity is significant.
“The number claimed by ShinyHunters is quite huge. However, we believe it to be legitimate,” the Cybernews research team noted, pointing to the platform’s scale and adoption.
That combination of exposed data helps attackers craft highly targeted social engineering campaigns.
Attackers could impersonate teachers, administrators, or classmates, crafting messages that feel convincingly real. It could also cause operational disruptions within educational institutions.
“Because of how massive this dataset allegedly is, these risks would not be limited to one school or university, but also possibly to companies that might use Canvas for employee training purposes,” noted one Cybernews researcher.
ShinyHunters accelerates its attacks
ShinyHunters is no stranger to breaches that hit the headlines. The extortion crew has torn through 2026 with almost industrial rhythm.
In February, it looted 6.2 million records from Dutch telecom Odido in a Salesforce heist that triggered a class action and a criminal investigation.
In March, it dumped 350GB of data stolen from the European Commission. US tech giant Cisco's Salesforce was threatened by the gang, and an attacker exposed nearly a million accounts from fintech firm Figure and 9 million records from Amtrak.
Canvas is not the only student platform that ShinyHunters has targeted. It compromised 11 million students through the school software firm Infinite Campus in March.
Check if your data has been leaked
Financial giants Ameriprise Financial and Mercer Advisors were also targeted this year. Identity protection firm Aura saw 900,000 records leaked. GTA’s creators, Rockstar Games, confirmed it was among the latest names added to the list.
The gang built its name by stealing and selling data on dark web forums. In 2025, it pivoted to vishing campaigns targeting enterprise Salesforce environments.
Security researchers tie the group to a broader supergroup alongside Scattered Spider and LAPSUS$, all sharing overlapping members and roots in the youth cybercrime subculture known as "The Com."
Arrests across Canada, France, Turkey, and Finland seem to have done nothing to slow the pace of the attacks.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked