Hackers steal student data during hack of education technology giant Instructure

Education technology giant Instructure has confirmed a data breach affecting students’ private information. The hacking and extortion gang ShinyHunters claimed responsibility for the hack.

The hackers claim they stole students’ names, personal email addresses, and messages sent between teachers and students — the same type of data that Instructure admitted to stealing.

Instructure is the latest giant company to be hacked by the ShinyHunters gang. Cybercriminals have targeted universities and cloud database companies in recent months, trying to steal huge amounts of people’s personal information and threatening to publish the data online if companies do not pay hackers’ ransom.

A ShinyHunters member shared a sample of the stolen data with TechCrunch, which included data from two schools in the United States, one in Massachusetts and one in Tennessee. In the Massachusetts case, the data included messages containing names, email addresses, and some phone numbers. As for the school in Tennessee, the sample included students’ full names and email addresses.

The sample did not contain passwords or other types of data that Instructure said was not affected by the breach.

TechCrunch is not naming the schools because they are not confirmed victims. Based on information appearing on their websites, both schools appear to be using Instructure’s Canvas platform, which allows customers to manage coursework, assignments, and communicate with students.

ShinyHunters also shared a list of around 8,800 schools allegedly affected by the breach. TechCrunch was unable to confirm whether all of the organizations listed were affected, nor whether they were Instructure customers. Instructure says on its official website that it has more than 8,000 organizations as clients.

When contacted by TechCrunch, Instructure spokesperson Kate Holmes did not answer several questions about the incident, instead pointing to the company’s official page where it posts updates about the hack.

On its data leak site, where ShinyHunters claims responsibility for data breaches and attempts to pressure victims to pay ransoms, hackers claim the hack affected nearly 9,000 schools around the world, and the data of 275 million people, including students, teachers and other staff. In an online chat, the ShinyHunters member told TechCrunch that the total number of unique emails included in the stolen data reached 231 million.

Financially motivated hacking groups are known to exaggerate their claims to attract media attention, as well as their victims.

As of Tuesday, Instructure said some of its products, such as Canvas, had been restored to customers after undergoing maintenance.