ShinyHunters exploited an issue with Instructure’s Free-for-Teacher accounts—a demo program for educators whose schools weren’t Canvas users, the company said. It said names, student ID numbers, and messages among Canvas users were compromised in the breach, but no government identifiers or financial information.
Instructure was hit with at least seven federal suits, six filed in the US District Court for the District of Utah. KKR, which purchased Instructure in 2024 for approximately $4.8 billion, is a named defendant in a case filed in the Southern District of New York.
“Yesterday, Instructure discovered the unauthorized actor involved in our ongoing security incident made changes to the pages that appeared when some students and teachers were logged in. Out of an abundance of caution, we immediately took Canvas offline to contain access and further investigate,” Instructure said in a statement to Bloomberg Law. Temporarily shutting down the Free-for-Teacher accounts gave “us the confidence to restore access to Canvas, which is now fully back online and available for use. We regret the inconvenience and concern this may have caused.”
ShinyHunters claims the breach impacted 275 million students, teachers, and staff members worldwide across nearly 9,000 educational institutions. KKR declined to comment.
The timing of the hack, as the academic year came to a close, disrupted classes, finals, and services at academic institutions worldwide, including at Stanford, Yale, Princeton, the University of Manchester, and the University of Oslo.
Edtech companies have been the targets of massive data breaches in the past. PowerSchool suffered a breach in 2024 that exposed the information of nearly 50 million K-12 students and teachers and 4,700 school districts. Litigation over it is ongoing, with PowerSchool and owner Bain Capital largely unable to convince a federal court to dismiss the claims made by individual victims.
And Illuminate Education Inc. agreed last year, at the Federal Trade Commission’s behest, to implement a data security program following a cybersecurity incident that exposed millions of students’ academic records and health-related information.
KKR failed to honor its responsibility to protect personal data, according to the New York complaint filed by a University of Denver alum. He asserts negligence claims against the investment firm and Instructure. The lawsuits in federal Utah court collectively assert negligence, breach of legal obligations, and unjust enrichment claims on behalf of a proposed nationwide class.
Marshall Olson & Hull PC represents the plaintiffs in Utah. Milberg PLLC, KO Lawyers, and Carella Byrne Cecchi Brody Agnello PC represent the plaintiff in the first-filed case, Jabon Peterman. Yagman PLLC represents the plaintiff who filed in New York, Aaron Hinds.
The cases are Hinds v. KKR & Co. Inc., S.D.N.Y., No. 1:26-cv-03816, complaint filed 5/8/26 and Peterman v. Instructure Inc, D. Utah, No. 2:26-cv-00374, complaint filed 5/5/26.
To contact the reporter on this story:
To contact the editor responsible for this story: