"ShinyHunters said it stole 280 million data records from 8,809 colleges, school districts, and online education platforms." That staggering figure — claimed by the extortion group and reported by BleepingComputer — is the opening fact in a breach that has prompted a congressional demand for answers and left schools scrambling during final exams.
Timeline: April 29 detection, May 3 disclosure, and a rapid repeat attack
According to company disclosures first reported by BleepingComputer, Instructure detected an intrusion on April 29 and publicly disclosed the incident on May 3. Within a single week, the same threat actor group, ShinyHunters, carried out two separate intrusions affecting Instructure’s Canvas learning management platform: an initial data theft and a subsequent defacement of Canvas login portals that disrupted access for students and staff.
What was taken and what was exposed on Canvas
Instructure said the breach resulted in the theft of data belonging to students and school staff who use Canvas. The company listed exposed items as names, email addresses, student identification numbers, and messages exchanged between students and teachers on the platform. Instructure stated that the data did not include passwords, financial information, or government identifiers.
ShinyHunters publicly claimed responsibility and furnished a tally — the 280 million records figure — along with a list of 8,809 impacted colleges, school districts, and online education platforms. Stolen-record counts on that list ranged from tens of thousands to several million per institution, the reporting said.
Technique and disruption: XSS, authenticated admin sessions, and defacements
BleepingComputer reported that the attackers exploited multiple cross-site scripting (XSS) vulnerabilities to obtain authenticated admin sessions. With those sessions, the threat actors were able to modify login portal pages and display extortion messages. The defacements affected institutions across multiple states during final exams and end-of-semester activities; the disruption was severe enough that some colleges canceled exams.
Congressional scrutiny: House Homeland Security Committee requests testimony
The House Committee on Homeland Security has asked Instructure to provide testimony. In a letter sent Monday afternoon to Instructure CEO Steve Daly, Committee Chairman Andrew R. Garbarino wrote that the committee is investigating the breach, calling the repeated compromises “concerning” for the tens of millions of students, educators, and administrators who rely on Canvas.
The committee requested that Instructure or a senior company representative participate in a briefing no later than May 21 to discuss both intrusions, the stolen data, containment and notification efforts, and coordination with federal agencies. The committee said the repeated breaches raise “serious questions” about Instructure’s incident response capabilities and its obligations to properly protect the data it stores.
Impact across states and institutions
Schools in California, Florida, Georgia, Oklahoma, Oregon, Nevada, North Carolina, Tennessee, Utah, Virginia, and Wisconsin reported disruptions tied to the incident, the committee’s letter noted. The combination of stolen personal information and login-portal defacements amplified operational impacts, with students and administrators encountering interrupted access at a critical moment in the academic calendar.
What this means for technologists, the Homeland Security Committee, and affected schools
- Technologists and security teams: The use of multiple XSS vectors to escalate to authenticated admin sessions highlights attention points for application security and admin-session protections, and will likely focus remediation on input sanitization, admin interface hardening, and incident containment practices.
- The Homeland Security Committee: The committee has signaled it will press for direct answers about containment, notification, and federal coordination; it has set a near-term briefing deadline of May 21 and framed the repeated breaches as grounds for scrutiny of Instructure’s incident response.
- Affected colleges and school districts: Institutions facing canceled exams and portal outages must assess notification obligations for exposed data elements (names, emails, student IDs, and messages), and coordinate with any federal guidance or the briefing requested by the committee.
Late developments added complexity: the reporting said that after ShinyHunters removed Instructure from its data leak site, Instructure disclosed it had reached an agreement with the group to stop the public leak and ensure deletion of the stolen data. The company did not state explicitly whether a ransom payment was made, and BleepingComputer noted that extortion groups rarely agree to delete stolen data or halt leaks unless some form of payment or agreement has been reached.
The immediate next step is the requested May 21 briefing to the House Committee on Homeland Security. That forum will be the first formal opportunity, according to the committee’s letter, for Instructure to explain both intrusions, the scope of stolen data, how containment and notifications were handled, and what federal coordination took place. Until then, the breach leaves tens of millions of education users exposed on paper, and many institutions still sorting the practical fallout of defaced login portals during a critical academic period.




