Instructure confirms breach; millions of Canvas users potentially impacted

Instructure, the company behind the Canvas learning management system, has confirmed a data breach after a well-known cybercrime group claimed responsibility for stealing data linked to hundreds of millions of users.

Key takeaways

• Canvas owner Instructure confirmed a security incident after the ShinyHunters group claimed responsibility
• Up to 275 million users may be affected, with exposed data including names, emails, IDs, and messages
• Users should watch for scams and suspicious messages, even if they haven’t received an official notification yet

The security incident and exposed data

Schools, universities, and other organizations use Canvas to manage coursework, communication, and student records, making it a particularly attractive target for attackers.

The breach came to light after the ShinyHunters extortion group listed Instructure on its leak site, claiming it had stolen data from the company’s systems. According to Bleeping Computer, the breach could affect up to 275 million individuals across nearly 9,000 schools worldwide.

Instructure confirmed the cybersecurity incident on May 2 on their official website.

“We are providing an update on the security incident we advised you of yesterday. While our investigation continues alongside our outside forensics experts, at this stage we believe the incident has been contained,” the company said.

So far, Instructure says the exposed information only includes names, email addresses, student ID numbers and messages between users.

The company said there is no evidence (for now) that highly sensitive data such as passwords, financial details, or government identifiers were compromised.

“While we continue actively investigating, thus far, indications are that the information involved consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users,” Instructure explained. “At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved. If that changes, we will notify any impacted institutions. “

What has Instructure done so far?

In response to the incident, Instructure says it has:

• Deployed security patches
• Increased system monitoring
• Rotated application keys
• Required customers to reauthorize API access

The company is also working with cybersecurity experts and law enforcement as the investigation continues.

What should users do now?

Even if the full scope of the breach remains unclear, users and institutions should act with caution and proactively.

Here are a few immediate steps worth taking:

Check if your institution has issued a notice
Universities and schools are typically responsible for notifying affected users.

Be mindful of suspicious messages
Exposed email addresses can quickly be used in targeted scams, crafting messages that appear to come from your school, teachers, or classmates. These messages may reference real classes, conversations, or deadlines to feel more convincing. Be cautious about any unexpected requests, especially if they ask you to click links, download files, or share sensitive information. If something seems unusual, verify it independently by contacting the sender through an official channel, not by replying directly to the message.
Additionally, you can double-check it with Bitdefender Scamio, our free scam detector. For links, use the Bitdefender Link Checker to see if a URL is safe before clicking.

Update passwords (even if not exposed)
It’s a good precaution, especially if you reuse passwords across platforms.

Monitor your digital footprint
Services like Bitdefender Digital Identity Protection help track whether your data appears in known data breaches and alert you early if your information is exposed. It continuously monitors your digital footprint, including email addresses and other personal data, and notifies you if it shows up in newly leaked databases. This kind of early warning allows you to be proactive in changing your passwords, securing accounts, and reducing the risk of follow-up attacks like phishing or identity theft.