ShinyHunters Claims Theft of 280 M Records from Instructure’s Canvas LMS Across 8,800 Educational Institutions
What Happened – The extortion group ShinyHunters announced that it exfiltrated roughly 280 million user records—including names, email addresses, private messages, and enrollment data—from Canvas learning‑management instances used by 8,809 schools, districts, and online education platforms. The data was allegedly harvested via Canvas’s built‑in export tools (DAP queries, provisioning reports, and user APIs).
Why It Matters for TPRM –
- A single SaaS provider can expose personal data for millions of downstream customers in a single breach.
- The breach highlights the risk of over‑privileged API access and inadequate monitoring of bulk‑export functions.
- Third‑party risk assessments must now consider the security posture of education‑technology vendors and their data‑export controls.
Who Is Affected – Higher‑education institutions, K‑12 school districts, and any organization that licenses Canvas for learning management.
Recommended Actions –
- Verify whether your organization uses Canvas or any Instructure‑hosted services.
- Request evidence of recent security reviews, especially around API and export‑feature hardening.
- Enforce least‑privilege access for administrators and monitor bulk‑export activity.
- Update incident‑response playbooks to include potential data‑exfiltration via legitimate export mechanisms.
Technical Notes – The attackers claim to have leveraged legitimate Canvas export capabilities (DAP queries, provisioning reports, user APIs) after obtaining privileged credentials. No specific CVE was disclosed; the vector is essentially credential abuse of a cloud‑based SaaS platform. Exfiltrated data includes personally identifiable information (PII) and internal communications. Source: BleepingComputer