Overview
- Instructure said the thief returned the files and sent digital shred logs after a deal that it says also bars any further extortion of its customers.
- The breach touched about 9,000 institutions and an estimated 275 million people, with roughly 3.65 terabytes taken that included names, emails, student IDs and private messages, not passwords or financial data.
- Investigators say the attackers abused a flaw tied to Canvas’s Free‑For‑Teacher support ticket flow, first exfiltrating data in late April and then defacing hundreds of login pages on May 7.
- The House Homeland Security Committee requested a briefing in a Monday letter that seeks details on both intrusions, the data accessed and how Instructure worked with the FBI and CISA, as lawsuits in the U.S. begin to mount.
- Security officials and experts warn the agreement does not guarantee deletion and that exposed details can drive phishing, so schools are urging students and staff to watch for impersonation attempts during exams and beyond.