ShinyHunters' two strikes and Instructure's interrupted service
Earlier this month, the threat group ShinyHunters breached Instructure’s Canvas platform twice in one week, defacing login pages at hundreds of schools during final exams, forcing Canvas offline, and extracting a ransom payment, according to reporting by Rishi Kaushal. The attackers removed 3.65 terabytes of data covering roughly 275 million users across more than 8,000 institutions. The incident did not rely on exotic malware or zero-day exploits: attackers entered through compromised "Free-For-Teacher" accounts, escalated rapidly, and exfiltrated sensitive data at scale before Instructure could contain them.
Compromised "Free-For-Teacher" accounts and why identity is the perimeter
The breach followed a familiar operational playbook: compromise legitimate accounts that carry excessive standing privileges, then move laterally, maintain persistence, and harvest data. As Rishi Kaushal writes, identity has become the most reliable attack surface in modern enterprises. Many organizations maintain fragmented identity controls, inconsistent privilege management, and limited visibility into how accounts interact across SaaS integrations — conditions that let attackers "inherit" broad access when they seize an account.
Strong passwords and multifactor authentication are described as necessary but insufficient. The op-ed recommends continuous identity verification, tightly scoped privileges, aggressive governance of third-party integrations, and real-time visibility into anomalous access across SaaS systems — treating identity governance as primary infrastructure rather than a compliance checkbox.
Data exfiltration at scale: why availability metrics miss the point
The scale of disruption from the Canvas outages came from how deeply institutions depended on the platform, not from any single technical vulnerability. Thousands of students could not access coursework, faculty lost contact with classes, and administrators scrambled to postpone exams because Canvas is a single point of operational concentration for many institutions. Kaushal argues that enterprise security frameworks that focus on uptime and recovery time objectives misunderstand modern SaaS risk: availability is insufficient when the platform is operational but the data inside has already been stolen.
When application-layer access controls fail, data inside SaaS platforms is immediately readable, searchable, and monetizable. Attackers can extort institutions because stolen data retains leverage long after technical remediation; restoring uptime does not erase the value of exfiltrated records.
Cryptography, "harvest now, decrypt later," and post-quantum readiness
The op-ed highlights a second often-overlooked problem: the data inside SaaS platforms is frequently less protected than the credentials used to access it. Cryptographic protections that preserve organizational control over sensitive data even after it leaves a platform directly reduce the value of exfiltration, the piece argues. Kaushal warns of a "harvest now, decrypt later" threat model — adversaries collect encrypted data today expecting to decrypt it later as cryptographic standards age or quantum capabilities advance.
Accordingly, the piece urges crypto-agility and post-quantum readiness: protect data cryptographically so that stolen information is unreadable and therefore far less useful as an extortion instrument, and prepare for future risks that could make current encryption obsolete.
What this means for technologists, policymakers, and affected institutions
- Technologists and security teams: tighten identity governance as mission-critical infrastructure, scope privileges aggressively, and deploy cryptographic protections that persist beyond the platform.
- Policymakers and regulators: Congress has opened a formal investigation; Kaushal notes that Instructure’s CEO has been called to testify before the House Homeland Security Committee, and that affected institutions remain accountable for student data they no longer control.
- Affected institutions and procurement leaders: re-evaluate how dependence on shared SaaS platforms concentrates operational risk and insist on controls that reduce blast radius — not just measures that restore service after compromise.
The Canvas breach is not an argument against SaaS platforms themselves, Kaushal writes, but a wake-up call about the assumptions underlying enterprise security. Prevention remains necessary, but the calculus must change: assume compromise is continuous, limit how far an attacker can go inside, make stolen data unreadable, and plan for cryptographic futures. As Kaushal concludes, a new priority for security and technology leaders must be reducing the blast radius of every intrusion before it happens — because another breach will come, and "the only variable is how much it costs."




