ShinyHunters ransomware group breached Instructure’s Canvas LMS, taking it offline and threatening to leak data from 9,000 schools and 275 million users by May 12.
Key Takeaways
Compromised data includes student names, email addresses, ID numbers, and messages across Canvas, Canvas Beta, and Canvas Test environments.
ShinyHunters claims Instructure ignored initial contact and that security patches were insufficient; the group set a May 12 deadline before full data release.
Instructure confirmed the breach last week and deployed patches, but did not prevent the escalation to a full platform outage.
ShinyHunters has a track record of major breaches: Ticketmaster, AT&T, Rockstar Games, ADT, and Vercel.
Schools wanting to prevent data release were directed to contact ShinyHunters via TOX, a pattern consistent with double-extortion ransomware tactics.
Hacker News Comment Review
Commenters noted Instructure’s near-total communication silence during the outage, with no status updates or breach reports, which is especially damaging given U.S. finals season timing.
Debate split between those favoring school-run infrastructure to reduce single-point-of-failure risk and those pointing out that self-hosted platforms typically introduce worse security holes than maintained SaaS alternatives.
Some observers noted ShinyHunters’ listing for Instructure was quietly removed from their leak site mid-incident, suggesting possible behind-the-scenes negotiation despite no public statement.
Notable Comments
@corvad: flags likely SLA violations and lawsuits given the outage timing overlaps with finals for most U.S. schools.
@somebudyelse: Instructure’s entry and school list were removed from the ShinyHunters site, a concrete mid-incident development not addressed publicly.
