Hackers forced American colleges to cancel the final exams.
The Canvas platform has become a federal-level problem in the US: after two ShinyHunters attacks, educational institutions faced data leakage, spoiled login pages and failures during the final exams. The Homeland Security Committee of the U.S. House of Representatives has demanded an explanation from the management of the Instructure, the company that owns Canvas.
The chairman of the committee, Andrew Garbarino, sent a letter to the Director General of Instructure Steve Daley. Legislators want to figure out how the attackers were able to compromise the company’s infrastructure twice in one week and touch on a platform used by tens of millions of students, teachers and administrators. Instructure describes Canvas as a service with over 30 million active users worldwide.
The committee’s letter said the first attack occurred on May 1. The attackers gained access to the personal data of students and employees of educational institutions using Canvas. Instructure reported that the compromised information included the names of students, personal email addresses, student identifiers and messages between students and teachers. Passwords, financial information and state identifiers, according to the company, were not affected.
ShinyHunters said on the leaks website that it has access to data of about 275 million students, teachers and other employees from almost 9000 educational institutions around the world. The Committee separately noted that the accuracy of the stated figures was not confirmed, but the gap between the public description of the incident by Instructure and the scale indicated by the attackers required full and transparent proceedings.
The case did not end at the first attack. On May 7, ShinyHunters, according to the committee, again compromised the Instructure systems and placed ransom requirements right on the pages of Canvas entrance from educational institutions throughout the country. Students saw a group message instead of the usual form of authorization. Failures occurred during the final examinations and the completion of the semester, when thousands of schools and universities are particularly dependent on the stable work of the educational platform.
Educational institutions in California, Florida, Georgia, Oklahoma, Oregon, Nevada, North Carolina, Tennessee, Utah, Virginia and Wisconsin were among the victims. According to BleepingComputer, the second wave of attacks on Canvas was associated with several XSS vulnerabilities through which the attackers received authenticated administrative sessions and were able to change the login pages.
The letter also provides an explanation for the attackers themselves. ShinyHunters said it hit the Instructure again because the company ignored the group’s appeals and issued security patches instead of negotiations. The group threatened to publish the stolen data on 12 May 2026 if the Instructure did not agree to the settlement.
Later, Instructure disappeared from the ShinyHunters leak site, and the company announced an agreement with the group. According to Instructure, the agreement should stop the public publication of the data and lead to the removal of the stolen information. The company did not explicitly say whether the ransom, but the extortionist groups rarely stop the leak and promise to delete the data without payment or other transaction.
ShinyHunters then updated the message on the leaks website and said that the data was destroyed, and the affected educational institutions do not need to contact the group separately and try to negotiate payments. The attackers also wrote that the company and customers will no longer target payment claims.
The Internal Security Committee considers repeated compromises to be a reason for serious questions to Instructure. Lawmakers want to assess the company’s willingness to respond to incidents, close vulnerabilities after the first hack, and protect the data that educational institutions store. The committee asked the Instructure or senior representative of the company to brief the company no later than May 21, 2026 and to talk about two attacks, the amount of data stolen, containment measures, notification of victims and interaction with federal law enforcement agencies and CISA.
The Canvas platform has become a federal-level problem in the US: after two ShinyHunters attacks, educational institutions faced data leakage, spoiled login pages and failures during the final exams. The Homeland Security Committee of the U.S. House of Representatives has demanded an explanation from the management of the Instructure, the company that owns Canvas.
The chairman of the committee, Andrew Garbarino, sent a letter to the Director General of Instructure Steve Daley. Legislators want to figure out how the attackers were able to compromise the company’s infrastructure twice in one week and touch on a platform used by tens of millions of students, teachers and administrators. Instructure describes Canvas as a service with over 30 million active users worldwide.
The committee’s letter said the first attack occurred on May 1. The attackers gained access to the personal data of students and employees of educational institutions using Canvas. Instructure reported that the compromised information included the names of students, personal email addresses, student identifiers and messages between students and teachers. Passwords, financial information and state identifiers, according to the company, were not affected.
ShinyHunters said on the leaks website that it has access to data of about 275 million students, teachers and other employees from almost 9000 educational institutions around the world. The Committee separately noted that the accuracy of the stated figures was not confirmed, but the gap between the public description of the incident by Instructure and the scale indicated by the attackers required full and transparent proceedings.
The case did not end at the first attack. On May 7, ShinyHunters, according to the committee, again compromised the Instructure systems and placed ransom requirements right on the pages of Canvas entrance from educational institutions throughout the country. Students saw a group message instead of the usual form of authorization. Failures occurred during the final examinations and the completion of the semester, when thousands of schools and universities are particularly dependent on the stable work of the educational platform.
Educational institutions in California, Florida, Georgia, Oklahoma, Oregon, Nevada, North Carolina, Tennessee, Utah, Virginia and Wisconsin were among the victims. According to BleepingComputer, the second wave of attacks on Canvas was associated with several XSS vulnerabilities through which the attackers received authenticated administrative sessions and were able to change the login pages.
The letter also provides an explanation for the attackers themselves. ShinyHunters said it hit the Instructure again because the company ignored the group’s appeals and issued security patches instead of negotiations. The group threatened to publish the stolen data on 12 May 2026 if the Instructure did not agree to the settlement.
Later, Instructure disappeared from the ShinyHunters leak site, and the company announced an agreement with the group. According to Instructure, the agreement should stop the public publication of the data and lead to the removal of the stolen information. The company did not explicitly say whether the ransom, but the extortionist groups rarely stop the leak and promise to delete the data without payment or other transaction.
ShinyHunters then updated the message on the leaks website and said that the data was destroyed, and the affected educational institutions do not need to contact the group separately and try to negotiate payments. The attackers also wrote that the company and customers will no longer target payment claims.
The Internal Security Committee considers repeated compromises to be a reason for serious questions to Instructure. Lawmakers want to assess the company’s willingness to respond to incidents, close vulnerabilities after the first hack, and protect the data that educational institutions store. The committee asked the Instructure or senior representative of the company to brief the company no later than May 21, 2026 and to talk about two attacks, the amount of data stolen, containment measures, notification of victims and interaction with federal law enforcement agencies and CISA.
