ShinyHunters claim 275 million Canvas LMS records, set 12 May leak deadline

The hacking collective ShinyHunters claims to have stolen 275 million records from Instructure’s Canvas learning platform, naming Australia among the regions affected and giving the company until end of business on 12 May 2026 to respond before publishing the data.

The threat actor said it had pulled 3.65 terabytes of records from 8,809 schools and universities, the threat-intelligence firm Halcyon told industry outlet smbtech.au. ShinyHunters separately gave TechCrunch a lower count of 231 million people. Either figure would rank among the largest education-sector incidents on record.

Canvas, owned by Utah-based Instructure Holdings (NYSE: INST), is one of the dominant learning management systems in the global higher-education market. It is used across most Australian universities and a growing share of K-12 systems. Instructure does not publish a country-by-country customer list. ShinyHunters told reporters its dataset spans the United States, the United Kingdom, New Zealand, Australia, Sweden and the Netherlands.

Salesforce vector, second breach in eight months

Instructure chief information security officer Steve Proud confirmed an intrusion into the company’s Salesforce environment, which holds customer-relationship data tied to Canvas accounts. The vendor said the underlying vulnerability had been patched.

It is the second time ShinyHunters has hit the same Salesforce tenant. The first compromise, in September 2025, was traced to social engineering of a Salesforce administrator account. The May 2026 incident exploited a software flaw in the same environment. Halcyon said the pattern points to incomplete remediation after the earlier breach.

“Two confirmed breaches by the same threat actor suggests a pattern demanding scrutiny of remediation efforts,” Keeper Security chief executive Darren Guccione said in commentary issued to smbtech.au. He said identity access governance had to be treated as “continuous discipline, not a post-incident checklist”.

The University of Pennsylvania, named on ShinyHunters’ leak listing, has confirmed exposure. Its chief information officer Joshua Beeman told the institution’s community that more than 306,000 user records tied to its Canvas tenant were in the dataset. Penn was the only education customer to formally acknowledge data loss at time of publication.

What the data contains

The records claimed by ShinyHunters include personal identifiers, institutional account information and private communications inside the Canvas platform, according to Halcyon’s review of a sample posted to a dark-web leak site. Both adult students and minors enrolled through K-12 deployments are represented. Hashed passwords and assignment content are also present in the sample, the firm said, though it has not published the file inventory.

For Australian institutions running Canvas, the immediate exposure surface is the same set of fields any LMS account holds: full name, institutional email address, student or staff identifier, course enrolment history and any messages exchanged through the platform’s inbox. Australians worried about whether a personal email is in the leak can run it through the free have-i-been-pwned style services we’ve previously walked through once the data is published.

The Australian Cyber Security Centre had not issued a Canvas-specific advisory at time of publication. The agency last week warned of unrelated ClickFix social-engineering attacks delivering Vidar Stealer through compromised WordPress sites, and broader supply-chain compromises remain a recurring theme in its 2025-26 advisory catalogue.

Industry response

Tony Jarvis, director of enterprise security for Asia Pacific and Japan at Darktrace, said the scale of the claimed dataset made the incident notable even by the standards of recent third-party Salesforce intrusions. “Nearly 9,000 schools and universities worldwide affected, potentially 275 million individuals affected,” Jarvis said. He urged students whose institutions use Canvas to reset passwords, enable multi-factor authentication and watch for phishing attempts using stolen course context as a lure.

Jarvis added a defender-side line that has become a refrain after the 2025 wave of Salesforce token-abuse incidents tied to ShinyHunters: “Systems will have vulnerabilities that we aren’t aware of.”

The group, which emerged in early 2020 with a string of consumer-database thefts, has shifted in recent years to enterprise SaaS targets. Investigators have linked it to the 2024 Snowflake credential thefts, the 2025 wave of AI-generated voice-phishing calls used to capture Salesforce session tokens, and a series of 2026 third-party integrator compromises. The Canvas claim, if validated, would be its largest single-incident victim count.

Regulatory backdrop

The breach lands as Australian regulators continue to push enterprises to harden cyber-resilience. The Australian Securities and Investments Commission has ordered the financial sector to lift cyber maturity and explicitly named frontier-AI-driven attack tooling as a near-term threat. The Office of the Australian Information Commissioner’s notifiable-data-breaches scheme would compel any AU-headquartered Canvas customer to notify affected individuals once exposure is confirmed.

Instructure has not commented on whether it intends to negotiate over the leak deadline or treat ShinyHunters’ deadline as a bluff. The group has previously published its Snowflake-related dumps after public deadlines lapsed without payment.

The 12 May cut-off lands during the first-semester teaching period at most Australian universities. CIOs at Australian Group of Eight institutions contacted for this story did not respond by deadline.