On May 3, the cybercrime group ShinyHunters announced it had breached Instructure, affecting the data of hundreds of millions, including 306,000 users from Penn. The group plans to leak the compromised data, which includes emails, names, and Penn ID numbers, by May 8 unless contacted by the affected institutions.
ShinyHunters is notorious for large-scale data breaches and claims to have also secured “billions of private messages” from students and faculty, potentially exposing sensitive information such as phone numbers and addresses. The Daily Pennsylvanian confirmed the data breach after a member of the group shared a sample of the stolen information.
Instructure had previously reported a cybersecurity incident on May 1, noting they were working with cybersecurity experts and law enforcement to assess the situation. Joshua Beeman, Vice President of Information Technology at Penn, emphasized the priority of securing the university's data and mentioned collaboration with relevant parties to evaluate the impact of this breach.
ShinyHunters previously targeted Penn in the fall of 2025, releasing thousands of internal files after the university reportedly refused to pay a $1 million ransom.