Overview
- Instructure, which runs the Canvas learning platform, said Wednesday it reached an agreement with ShinyHunters that resulted in the stolen data being returned with digital “shred logs” and it declined to say whether any payment was made.
- Reporting attributes the breach to about 3.65 terabytes of data tied to roughly 275 million people across nearly 9,000 institutions, with names, emails, student IDs, course details and private messages exposed while the company says passwords and financial or government IDs were not involved.
- The intrusions exploited a flaw linked to support tickets in Canvas’s Free‑For‑Teacher environment, prompting Instructure to disable those accounts, revoke credentials and tokens, rotate keys, apply patches and increase monitoring.
- The U.S. House Committee on Homeland Security requested a briefing on the two May intrusions and the company’s response, and at least two dozen federal lawsuits have been filed alleging inadequate safeguards and ongoing risks.
- Schools reported outages during final exams and security researchers warn the exposed records can drive phishing and impersonation even after a purported deletion, so institutions are urged to alert students, staff and parents to suspicious messages.