Known for its flagship learning management system Canvas, which counts over 30 million active users as customers, Instructure disclosed the incident May 1 on its website. A post from Chief Information Security Officer Steve Proud said staff are working to determine the full scope of the breach and minimize any lingering impact.
According to a May 2 update from Proud, preliminary findings suggested the incident was caused by a “criminal threat actor” and may have involved the exposure of user-identifying information such as names, email addresses, student identification numbers, and user-to-user messages. However, he added that there was no evidence that passwords, dates of birth, government-issued identifiers or financial information were compromised.
“Maintaining your trust is our highest priority, and we are committed to transparency throughout this process,” Proud wrote in the initial post.
Instructure has not publicly identified the criminal threat actor. However, independent security researchers at Cybernews and BleepingComputer both confirmed that the cyber extortion group ShinyHunters claimed credit for the attack by listing Instructure on its data-leak website on May 3.
According to a screenshot of ShinyHunters' post shared by Cybernews, the incident could affect nearly 9,000 schools and 275 million users worldwide, including students, teachers and staff. The extortion group's post said the attack had compromised personally identifying information and billions of private messages written by students and teachers.
ShinyHunters’ post ended with a demand: “FINAL WARNING PAY OR LEAK.”
In response to the incident, Instructure said May 2 that it had taken several immediate steps to secure its platforms and protect user data. These included revoking privileged credentials and access tokens to prevent further unauthorized access, deploying security patches across affected systems, and intensified monitoring across all platforms.
As a precautionary measure, Instructure also said it cancelled and renewed security keys for certain applications, which the company said users may not be able to access without first reauthorizing their credentials.
“Reissued application keys contain a timestamp in the name and will be visible to users during re-authorization. These are valid Instructure created keys and users should continue the authorization process,” Instructure's website says.
Proud said in a May 2 update that he believed the cybersecurity incident to be contained, and that a forensic investigation was still ongoing while systems were being progressively brought back online and restored to full service.
This cyber attack on Instructure follows several national incidents and reports that have put school cybersecurity in the spotlight, including the PowerSchool breach in late 2024 and ShinyHunters' own attack on Harvard University, Princeton University and the University of Pennsylvania in late 2025. While data breaches in general reached an all-time high in 2025, according to the nonprofit Identity Theft Resource Center, the picture for education is more nuanced. A study by the research company Comparitech found that cyber attacks on the education sector specifically had plateaued in 2025, but the number of records exposed by each — because the attacks were often against third parties like Instructure or PowerSchool — was increasing.
