Instructure Ransomware Claim by ShinyHunters (May 2026)

Claim Summary

On May 3, 2026, the ransomware group ShinyHunters posted an unverified claim on their leak site alleging a significant data breach at Instructure Holdings, Inc., the parent company of Canvas LMS (instructure.com). According to the threat actor, the attack compromised nearly 9,000 schools worldwide, impacting approximately 275 million individuals including students, teachers, and staff. The group claims to have exfiltrated 3.65TB of uncompressed data, which allegedly includes personally identifiable information (PII), billions of private messages between students and teachers, and data from Instructure’s Salesforce instance. The group has issued a “final warning” with a deadline of May 6, 2026, threatening to leak the data and cause unspecified “digital problems” if demands are not met.

Threat Actor Profile

ShinyHunters is a known threat actor group that has historically focused on data extortion rather than traditional ransomware deployment. While the group’s total known victim count is not publicly documented, they have been associated with several high-profile data breaches in the education and technology sectors. Their known tools and tactics are not well-documented in public research, but they typically employ credential theft, SQL injection, and exploitation of misconfigured cloud services to gain initial access. The group’s credibility is mixed - they have successfully exfiltrated and leaked data in past incidents, but they have also been known to exaggerate claims to pressure victims. No YARA rules or specific detection guidance for ShinyHunters is currently available in public threat intelligence repositories.

Alleged Data Exposure

According to the unverified leak site post, the claimed data includes:

• PII of 275 million individuals across nearly 9,000 schools globally
• Student, teacher, and staff records containing names, contact information, and other personal details
• Billions of private messages between students and teachers, and among students, allegedly containing personal conversations and additional PII
• Data from Instructure’s Salesforce instance, though the specific contents are not detailed
• Total data volume: 3.65TB (uncompressed)

The group claims this is a “final warning” and threatens to release the data publicly on May 6, 2026, along with unspecified “digital problems” for the organization.

Potential Impact

If verified, this alleged breach would represent one of the largest education sector data exposures in recent history. The potential impact includes:

• Widespread identity theft and fraud risks for millions of students, teachers, and staff
• Exposure of sensitive private communications between minors and educators, raising significant privacy and legal concerns
• Regulatory consequences under FERPA, GDPR, and other data protection frameworks
• Reputational damage to Instructure and the thousands of schools using Canvas LMS
• Potential operational disruption from the threatened “digital problems”

The education sector is particularly sensitive to data breaches due to the involvement of minors and the long-term consequences of PII exposure.

What to Watch For

• Monitor Instructure’s official communications for confirmation or denial of the claim
• Watch for any data leaks on public forums or paste sites after the May 6 deadline
• Educational institutions using Canvas LMS should review their data security posture and prepare incident response plans
• Individuals potentially affected should monitor for phishing attempts and identity theft indicators
• Security teams should check for any unusual activity in Salesforce instances connected to Instructure

Disclaimer

This report is based on an unverified claim posted by the ransomware group ShinyHunters on their leak site. Yazoul Security has not independently verified any of the information contained in this report. Ransomware groups routinely exaggerate or fabricate claims to pressure victims into paying ransoms. The data volumes, victim numbers, and specific details provided by the threat actor should be treated with skepticism until confirmed by Instructure Holdings, Inc. or independent security researchers. No PII, download links, credentials, or access methods have been included in this report. Organizations should not take action based solely on this unverified intelligence.