Overview
- Instructure said it reached an agreement with the group claiming the Canvas breach, reporting that stolen data was returned and digitally “shredded,” and Inside Higher Ed reported the company paid a ransom.
- The company traced both the breach and later portal defacements to a flaw in the Free‑for‑Teacher environment that allowed cross‑site scripting and admin‑level access, and it has disabled that feature during a security review.
- Canvas access has been restored for most paying institutions after outages that disrupted classes and exams, while schools continue phased checks and warn users to watch for phishing or impersonation attempts.
- Instructure said exposed data matched directory‑type fields such as names, email addresses, student IDs, course and enrollment details, and messages, and it reported no evidence of compromised passwords, birth dates, government IDs, or financial data.
- CrowdStrike is supporting the forensic work, CISA said it is aware and offering voluntary assistance, and the House Homeland Security Committee requested a briefing to probe the intrusions and the company’s response.