Cyber Incident Victim: Instructure

On April 30, 2026, Instructure disclosed that a cyberattack had disrupted services that relied on API keys and had resulted in a data breach. The company said the disruption was largely addressed by Sunday, May 3, when access to the Canvas Data 2 platform was restored. On May 1, Instructure announced that the incident was perpetrated by cybercriminals and that it had engaged outside forensics experts to investigate. The following day, May 2, the company stated that the attack had been contained and that certain application keys had been reissued, requiring users to reauthorize access to affected tools. Instructure also reported that it had revoked privileged credentials and access tokens, deployed security fixes, and implemented additional monitoring.

Instructure revealed that the attackers had gained access to personal information including names, email addresses, and student ID numbers, and that user messages were also compromised. The company explicitly stated that, at the time of its disclosure, there was no evidence that passwords, dates of birth, government identifiers, or financial information had been involved in the breach. Instructure did not provide details on how many institutions or individual users were affected, nor did it identify the threat actor responsible for the incident. The lack of specific numbers left the scope of the exposure uncertain despite the confirmed data types.

On May 3, the extortion group ShinyHunters added Instructure to its Tor‑based leak site, claiming to have stolen 3.65 terabytes of data. The group asserted that the stolen information belonged to approximately 275 million students, teachers, and other individuals associated with close to 9,000 education institutions worldwide. ShinyHunters also alleged that Instructure’s Salesforce instance had been compromised as part of the attack. These claims were presented by the threat actor and have not been independently verified by Instructure in the available sources.