Instructure Confirms Return of Stolen Canvas Data Amid Congressional Inquiry

Instructure detected unauthorized activity in Canvas on April 29 and immediately revoked the attacker’s access. Despite that, the threat group defaced login pages of roughly 330 institutions on May 7, injecting extortion messages and shifting to school‑by‑school demands with a new deadline of May 12. The company took Canvas offline, disrupting access for thousands of K‑12 and university users.

ShinyHunters claimed to have exfiltrated 3.65 terabytes of data—about 275 million records from 8,809 school systems—and set an initial ransom deadline of May 6. Instructure later stated the stolen data was returned and that it received digital confirmation of its destruction. The House Homeland Security Committee sent a letter to Instructure’s CEO requesting a briefing by May 21 on the incident.

The episode raises concerns about the resilience of widely used education platforms and the effectiveness of incident response when attackers persist after initial containment. Lawmakers’ scrutiny may lead to tighter oversight of ed‑tech vendors and pressure to improve breach notification practices. For schools, the incident highlights the need to verify vendor security claims and to maintain independent backups of critical data.

Security teams should enforce multi‑factor authentication on all administrative accounts, review and rotate privileged credentials, and monitor for anomalous login attempts using SIEM rules tied to MITRE ATT&CK T1078 (Valid Accounts). Deploy web‑application firewall rules that block unauthorized content changes (T1190 – Exploit Public‑Facing Application) and enable file‑integrity monitoring on public‑facing pages. Keep Canvas and underlying dependencies patched, prioritize CISA’s Known Exploited Vulnerabilities catalog, and ensure endpoint detection and response tools flag suspicious PowerShell or script execution (T1059.007). Finally, segment network traffic between web front‑ends and internal databases to limit lateral movement.