Hackers steal students’ data during breach at education tech giant Instructure

Instructure, a leading player in educational technology, has acknowledged a significant data breach that has compromised the private information of students. The hacking group known as ShinyHunters has taken responsibility for this intrusion, claiming they have accessed sensitive data including students' names, personal email addresses, and messages exchanged between educators and students. This incident marks another attack by ShinyHunters, who have increasingly targeted universities and cloud database services, aiming to pilfer vast amounts of personal information. The group is notorious for threatening to release stolen data unless a ransom is paid by the affected organizations. A representative from ShinyHunters shared a sample of the stolen information with TechCrunch, which revealed data from two U.S. educational institutions, one located in Massachusetts and another in Tennessee. The data from the Massachusetts school included messages containing names, email addresses, and some phone numbers, while the Tennessee sample comprised students' full names and email addresses. Notably, the leaked information did not include passwords or other data that Instructure has indicated remains secure. TechCrunch opted not to disclose the names of the schools, as they have not been officially confirmed as victims. However, indications suggest that both institutions utilize Instructure's Canvas platform, a service designed for managing coursework and facilitating communication between teachers and students. Additionally, ShinyHunters has claimed that approximately 8,800 educational institutions worldwide may have been impacted by this breach, although TechCrunch could not verify the accuracy of this list or whether these institutions are indeed customers of Instructure. The company currently reports servicing over 8,000 educational entities. When approached for comments, Instructure's spokesperson, Kate Holmes, refrained from addressing specific inquiries regarding the breach and instead directed attention to the company's official website, where updates are being posted. On their data leak platform, ShinyHunters asserts that the breach has affected nearly 9,000 schools globally, putting the data of around 275 million individuals at risk, including students, educators, and staff members. A member of the hacking group also claimed that the total unique emails involved in the breach amount to 231 million. It is important to note that financial hacking groups often exaggerate their figures to attract media focus and apply pressure on their targets. As of the latest updates, Instructure reported that some of its services, like Canvas, have been restored following maintenance efforts.