“They stole 3.65 terabytes of data spanning 275 million records across 8,809 school systems,” the threat group posting on its data-leak site claimed — a single figure that, if true, would make this one of the largest education-sector exposures researchers say they have tracked.
ShinyHunters' claims and escalation
ShinyHunters, a decentralized crew of cybercriminals affiliated with The Com, claimed responsibility for the intrusion on its data leak site and has attempted to extort Instructure over an undisclosed ransom amount. The group initially set a May 6 deadline — four days after Instructure disclosed it had contained an incident — and when that passed it escalated by injecting an extortion message into the Canvas login pages of roughly 330 institutions and pivoting to school-by-school extortion with a current deadline of May 12, according to Cynthia Kaiser, senior vice president of Halcyon’s Ransomware Research Center.
After defacing login pages, ShinyHunters removed Instructure from its leak site; Halcyon said the group has a “known pattern of removing victim entries once communications and negotiations have started.” Halcyon and other researchers note ShinyHunters has previously targeted major cloud platforms and employed voice phishing, credential theft and supply-chain attacks in past incidents.
Instructure’s response, timeline, and technical steps
Instructure said it first detected unauthorized activity in Canvas on April 29, immediately revoked the attacker’s access, and started an incident response. The company later tied a May 7 public login-page defacement to the same incident and said the actor exploited an issue related to Free-For-Teacher accounts. As a result, Instructure temporarily shut down Free-For-Teacher accounts.
CEO Steve Daly apologized for inconsistent public communication and promised a forthcoming summary of a forensics report. Daly acknowledged the attack exposed usernames, email addresses, course names, enrollment information and messages, while asserting that course content, submissions and credentials were not compromised. The company said it revoked privileged credentials and access tokens for affected systems, rotated internal keys, restricted token creation pathways, and deployed additional security controls and monitoring.
CrowdStrike is assisting the investigation. Instructure said CrowdStrike reviewed known indicators of compromise and “found no evidence that the threat actor currently has access to the platform.” Still, several districts reported spotty access as they restored Canvas in phases after conducting internal checks.
Instructure declined to confirm whether a ransom demand exists and did not answer detailed questions about the vulnerability or how the attackers initially intruded its systems. The company also has not indicated what it plans to do regarding the prevention of any potential leak of stolen data.
House Homeland Security Committee and CISA oversight
The incident drew attention on Capitol Hill. The House Homeland Security Committee published a letter to Daly seeking a briefing by May 21 with him or a senior leader at Instructure. Committee Chairman Andrew Garbarino, R-N.Y., wrote that “the recurrence of an intrusion within days of an initial breach disclosure, and Instructure’s apparent failure to fully remediate the underlying vulnerabilities during that window, raise serious questions about the company’s incident response capabilities and its obligations to the institutions and individuals whose data it holds.”
The committee requested details about the “circumstances of both intrusions, the nature and volume of data accessed, the steps Instructure has taken and is taking to contain the threat and notify affected institutions, and the adequacy of the company’s coordination with federal law enforcement and the Cybersecurity and Infrastructure Security Agency.”
CISA said it was “aware of a potential cyber incident affecting Canvas” and noted that, as the nation’s cyber defense agency, it “provide[s] voluntary support and cybersecurity services to organizations in responding to and recovering from incidents,” according to Chris Butera, the agency’s acting executive assistant director for cybersecurity. CISA did not describe the extent of its involvement in Instructure’s response.
What this means for technologists, school leaders, and parents
- Technologists and security teams: Halcyon called the scope “one of the largest single education-sector exposures we’ve tracked” and warned this incident highlights how third‑party software vendors can become an attack surface that creates cascading effects across an entire sector. Security teams will be watching for indicators of compromise, token-rotation practices, and the integrity of vendor-managed account types such as Free-For-Teacher.
- School leaders and administrators: The outage that followed the escalation disrupted coursework and access to critical systems; districts are restoring Canvas in phases after performing internal checks. Administrators must balance re‑opening classroom access with ensuring their local risk assessments are complete.
- Parents, students and staff: Instructure says exposed items include usernames, email addresses, course names, enrollment information and messages — data Halcyon warned could create downstream phishing and impersonation risk that “will outlast the immediate incident,” particularly because it includes minors’ data.
Experts quoted in the coverage urged caution about ShinyHunters’ public claims. Allison Nixon, chief research officer at Unit 221B, said the group “should not be trusted,” noting past actors have made false statements and that promises to delete data after payment have been unreliable.
The immediate calendar frames the next steps: ShinyHunters’ school-by-school pressure carried a May 12 deadline, and the House committee has requested a briefing by May 21. Instructure has promised a forensics summary “soon,” CrowdStrike reports no current evidence of platform access, and investigators continue to examine the scope, the chain of access through Free-For-Teacher accounts, and the potential downstream risks to students, staff and families.




