Hacker claims data theft from 8,800 schools, universities
▼ Summary
– The ShinyHunters extortion gang claims responsibility for a breach at Instructure, stealing 280 million records from 8,809 institutions.
– Instructure, known for its Canvas learning management system, confirmed a data breach exposing user names, email addresses, and private messages.
– The threat actors allegedly used Canvas data export features like DAP queries and user APIs to steal hundreds of gigabytes of user records and enrollment data.
– Record counts per impacted institution range from tens of thousands to several million, according to the hackers’ posted list.
– Universities like Colorado Boulder, Rutgers, and Tilburg have issued statements acknowledging the breach while investigating its impact on their campuses.
A hacker claiming responsibility for a data breach at Instructure, the company behind the widely used Canvas learning management system, says they have stolen 280 million records from 8,809 colleges, school districts, and online education platforms. The stolen data allegedly includes information on students and staff.
Instructure, a cloud-based education technology firm, is best known for Canvas, a platform that schools and universities rely on for managing coursework, assignments, grading, and communication. Last Friday, the company disclosed it was investigating a cyberattack and later confirmed a data breach that exposed users’ names, email addresses, and private messages.
The ShinyHunters extortion gang has claimed responsibility, stating they stole 280 million records belonging to students, teachers, and staff. The group has now published a list of the affected institutions, sharing record counts per organization with BleepingComputer. These counts range from tens of thousands to several million records for each school or district.
BleepingComputer has not independently verified whether all listed institutions were impacted, so specific names are not being disclosed. According to the threat actors, the data was extracted using Canvas data export features, including DAP queries, provisioning reports, and user APIs, allowing them to harvest hundreds of gigabytes of user records, messages, and enrollment data.
Although Instructure has not responded to repeated inquiries, some universities are beginning to issue statements. The University of Colorado Boulder warned that it is aware of a breach involving Instructure and described it as a “nationwide event affecting multiple institutions.” Rutgers University noted that while it has not been notified of direct impact, Canvas remains available and operational. Tilburg University in the Netherlands stated that an investigation is underway, but it has not yet confirmed whether its students and staff data was affected.
BleepingComputer has contacted Instructure again with additional questions and will update this story if a response is received.
(Source: BleepingComputer)
