Instructure Settles with ShinyHunters Over Canvas Data Breach as Congress Seeks Testimony

Canvas, owned by Instructure, is a widely used learning‑management platform serving schools and colleges worldwide. In early 2024 the company disclosed a breach of its systems, though it has not released details on how attackers gained access, what vulnerability was exploited, or the exact number of records affected. The breach prompted outreach from affected institutions seeking clarification on data safety.

Under the settlement, Instructure states that all stolen data was returned and destroyed. ShinyHunters confirmed to Reuters that it deleted the information and will not pursue further attacks against Instructure or its customers. The company also pledged not to extort users whose data may have been involved.

Congressional scrutiny is rising. The House Homeland Security Committee has asked Instructure’s leadership to appear before a panel to explain the incident response, the breadth of data compromised, and the extent of coordination with federal agencies such as the Cybersecurity and Infrastructure Security Agency (CISA). Instructure has not yet commented on the request.

What Defenders Should Do - Review and harden privileged access controls; enforce multi‑factor authentication for all administrative accounts (mitigates MITRE ATT&CK T1078 – Valid Accounts). - Monitor SaaS application logs for anomalous API usage or unexpected data exports (T1059 – Command and Scripting Interpreter, T1021 – Remote Services). - Apply the latest security patches for underlying infrastructure and subscribe to vendor advisories (e.g., CISA KEV catalog). - Implement data loss prevention rules to detect bulk downloads of user records. - Conduct regular tabletop exercises that include ransomware‑style extortion scenarios to improve decision‑making under pressure.

What to watch next: Whether Instructure complies with the congressional testimony request and if further technical details about the breach—such as the initial attack vector or exact data categories—are disclosed publicly.