ShinyHunters, the prolific extortion crew also known as "Arctic Comusters," has listed Instructure Holdings, the parent company of Canvas LMS, on its dark web leak site, claiming to have exfiltrated more than 3.65TB of data tied to one of the world's most widely deployed learning management platforms. The group claims the breach impacts up to 275 million students, teachers, and institutional staff, and is threatening to release several billion private platform messages unless demands are met by May 6th. Instructure has confirmed an incident, acknowledged that user-identifying data may have been viewed or exfiltrated, and stated the intrusion has been contained.

What Happened

On May 3rd, ShinyHunters published Instructure Holdings to its leak site under what it labeled a "final warning," giving the company until May 6th to respond before the data is released. The post claims theft of over 3.65TB of records spanning the Canvas LMS user base, with attackers also asserting that an associated Salesforce instance was breached and that "a lot more data is involved." In a press release, Instructure confirmed that attackers may have viewed or exfiltrated certain user-identifying information, but stated there is no evidence passwords, dates of birth, government identifiers, or financial information were exposed. The company said on Saturday the incident had been contained. ShinyHunters has not yet released a data sample, leaving the precise scope unverified, though Cybernews researchers caution that even discounted figures would represent a significant exposure given the sensitivity of educational records.

What Was Taken

According to both ShinyHunters' claims and Instructure's own disclosure, the exfiltrated dataset includes:

• Full names and student ID numbers
• Institutional and personal email addresses
• Internal Canvas communications and private messages
• Allegedly billions of in-platform messages exchanged between students, educators, and administrators
• Data sourced from a connected Salesforce instance, per attacker claims

If the 275 million figure holds, this would rank among the largest education-sector data thefts on record. The message corpus is the most sensitive element: private conversations between minors, faculty, and administrators carry harassment, doxing, and social-engineering risk well beyond what a typical credential dump enables.

Why It Matters

Canvas LMS is embedded in K-12 districts, higher education, and corporate training programs across the globe, making any confirmed compromise a systemic event for the education sector. Unlike financial breaches where impact can be quantified in fraud losses, exposure of student communications creates long-tail harm: identity records tied to minors, sensitive disclosures shared with educators, and disciplinary or counseling threads that were never intended to leave the platform. ShinyHunters' track record, including high-profile Salesforce-adjacent extortion campaigns throughout 2025, lends credibility to the Salesforce pivot claim and suggests this is part of a broader pattern of SaaS supply-chain abuse rather than an isolated platform compromise.

The Attack Technique

ShinyHunters has not disclosed an initial access vector, and Instructure has not published technical detail on the intrusion. However, the attacker's explicit reference to a breached Salesforce instance aligns with ShinyHunters' established 2025 playbook of voice phishing (vishing) and OAuth token abuse against Salesforce tenants, often pivoting from a SaaS foothold into adjacent corporate data stores. This pattern has been observed in their previous extortion campaigns against major enterprises and is consistent with the group's preference for human-layer compromise over exploitation of software vulnerabilities. Until Instructure publishes a post-incident report or ShinyHunters releases proof, the entry path remains unconfirmed.

What Organizations Should Do

1. Audit Canvas and Instructure integrations: Identify all SSO connections, API tokens, and third-party app authorizations linked to your Canvas tenant, and rotate any long-lived credentials.
2. Hunt for Salesforce OAuth abuse: Review connected app authorizations, refresh-token activity, and anomalous data export volumes in any Salesforce tenant linked to Instructure or other education-vendor integrations.
3. Notify and prepare student/staff communities: Issue advisories warning of likely targeted phishing using leaked names, student IDs, and message context. Education-themed lures should be expected within days of any leak.
4. Tighten vishing defenses: Reinforce help-desk identity verification procedures and MFA reset workflows, given ShinyHunters' documented reliance on social engineering.
5. Preserve logs for downstream investigation: Retain Canvas audit logs, SAML/SSO authentication records, and email gateway telemetry covering the suspected window for potential subpoena or regulatory inquiry.
6. Track the May 6th deadline: Monitor ShinyHunters' leak site and credible threat-intel feeds for sample releases that would confirm scope and enable victim notification.

Sources: Who attacked Canvas? The gang is threatening to spill billions of messages