Education technology firm Infrastructure, best known for its widely used learning management platform Canvas, confirmed that it was the victim of a data breach. Yesterday, the ShinyHunters cybercrime group claimed they stole 3.65 terabytes of data from more than 9,000 schools.
We are providing an update on the security incident we advised you of yesterday. While our investigation continues alongside our outside forensics experts, at this stage we believe the incident has been contained.
Here are the steps we have taken since we became aware of the incident. We have:
– Revoked privileged credentials and access tokens associated with affected systems
– Deployed patches to enhance system security
– Out of an abundance of caution, we rotated certain keys, even though there is no evidence they were misused
– Implemented increased monitoring across all platforms
While we continue actively investigating, thus far, indications are that the information involved consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users. At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved. If that changes, we will notify any impacted institutions.
Brian Bell, CEO of customer identity and access management platform FusionAuth:
“This is the uncomfortable truth for edtech: student data now moves through a sprawling web of identity systems, APIs, and third-party integrations. Instructure has not confirmed how the attackers got in, but its response shows where the risk had to be contained, privileged credentials, access tokens, and application keys. In edtech, credential governance is student data protection.”
Ensar Seker, CISO at threat intel company SOCRadar:
“The disruption tied to API keys is a strong indicator that identity and access management, not just perimeter security, was the real failure point. When privileged tokens or API credentials are exposed, attackers can bypass traditional defenses and operate as trusted entities. In environments like Instructure’s Canvas, where integrations and automation are core, this creates a high-impact blast radius very quickly.
“The involvement of ShinyHunters and claims of access to a Salesforce instance suggest this may be more than a single-system breach, it points to lateral movement across SaaS ecosystems. Organizations often underestimate how interconnected these platforms are; once attackers gain a foothold, misconfigured integrations and over-permissioned tokens allow them to pivot and aggregate data at scale. Even if highly sensitive fields like financial data or government IDs were not exposed, the combination of names, emails, student IDs, and communications still creates long-term risk. This type of dataset is extremely valuable for phishing, identity correlation, and social engineering campaigns, especially in education, where users are less likely to question trusted platforms.
“The key lesson here is that revoking credentials after the fact is necessary but not sufficient. Organizations need continuous monitoring of API behavior, strict token lifecycle management, and least-privilege enforcement across all integrations. In modern breaches, it’s not just about how attackers get in, it’s about how long they can operate undetected using legitimate access.”
This likely won’t end well in the long term as ShinyHunters is involved. They are on a tear as of late with no end in sight to their spree of hacking anything within their reach.
Like this:
Like Loading...
Related
This entry was posted on May 4, 2026 at 2:29 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Edtech Firm Instructure Admits To Being Pwned
Education technology firm Infrastructure, best known for its widely used learning management platform Canvas, confirmed that it was the victim of a data breach. Yesterday, the ShinyHunters cybercrime group claimed they stole 3.65 terabytes of data from more than 9,000 schools.
We are providing an update on the security incident we advised you of yesterday. While our investigation continues alongside our outside forensics experts, at this stage we believe the incident has been contained.
Here are the steps we have taken since we became aware of the incident. We have:
– Revoked privileged credentials and access tokens associated with affected systems
– Deployed patches to enhance system security
– Out of an abundance of caution, we rotated certain keys, even though there is no evidence they were misused
– Implemented increased monitoring across all platforms
While we continue actively investigating, thus far, indications are that the information involved consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users. At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved. If that changes, we will notify any impacted institutions.
Brian Bell, CEO of customer identity and access management platform FusionAuth:
“This is the uncomfortable truth for edtech: student data now moves through a sprawling web of identity systems, APIs, and third-party integrations. Instructure has not confirmed how the attackers got in, but its response shows where the risk had to be contained, privileged credentials, access tokens, and application keys. In edtech, credential governance is student data protection.”
Ensar Seker, CISO at threat intel company SOCRadar:
“The disruption tied to API keys is a strong indicator that identity and access management, not just perimeter security, was the real failure point. When privileged tokens or API credentials are exposed, attackers can bypass traditional defenses and operate as trusted entities. In environments like Instructure’s Canvas, where integrations and automation are core, this creates a high-impact blast radius very quickly.
“The involvement of ShinyHunters and claims of access to a Salesforce instance suggest this may be more than a single-system breach, it points to lateral movement across SaaS ecosystems. Organizations often underestimate how interconnected these platforms are; once attackers gain a foothold, misconfigured integrations and over-permissioned tokens allow them to pivot and aggregate data at scale. Even if highly sensitive fields like financial data or government IDs were not exposed, the combination of names, emails, student IDs, and communications still creates long-term risk. This type of dataset is extremely valuable for phishing, identity correlation, and social engineering campaigns, especially in education, where users are less likely to question trusted platforms.
“The key lesson here is that revoking credentials after the fact is necessary but not sufficient. Organizations need continuous monitoring of API behavior, strict token lifecycle management, and least-privilege enforcement across all integrations. In modern breaches, it’s not just about how attackers get in, it’s about how long they can operate undetected using legitimate access.”
This likely won’t end well in the long term as ShinyHunters is involved. They are on a tear as of late with no end in sight to their spree of hacking anything within their reach.
Share this:
Like this:
Related
This entry was posted on May 4, 2026 at 2:29 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.