VYPR
breachPublished May 11, 2026· Updated May 17, 2026· 2 sources

House Committee Investigates Massive Canvas Data Breach and Extortion Campaign

The U.S. House Committee on Homeland Security is investigating a massive breach of the Canvas learning management platform after the ShinyHunters extortion group exploited XSS vulnerabilities to steal millions of student records and disrupt final exams.

The U.S. House Committee on Homeland Security has launched an investigation into Instructure following two consecutive cyberattacks by the ShinyHunters extortion group against its Canvas learning management platform. The incidents, which occurred within a single week, resulted in the theft of sensitive data belonging to millions of students and educators, as well as widespread service disruptions during critical final exam periods BleepingComputer.

The technical mechanism behind the attacks involved the exploitation of multiple cross-site scripting (XSS) vulnerabilities. According to BleepingComputer, these flaws allowed the threat actors to hijack authenticated administrative sessions. By leveraging these XSS bugs within user-generated content features, the attackers gained the ability to perform privileged actions, including the modification of login portals and the exfiltration of data. Instructure confirmed that the exploited security issues specifically impacted the "Free-for-Teacher" version of the Canvas platform BleepingComputer.

The impact of the breach is extensive, affecting approximately 8,809 educational institutions, including colleges, school districts, and online platforms across multiple U.S. states such as California, Florida, Georgia, and Texas BleepingComputer. The stolen data, which ShinyHunters claimed totaled 280 million records, includes names, email addresses, student identification numbers, and internal messages between students and teachers. Notably, the company stated that passwords, financial information, and government identifiers were not compromised BleepingComputer.

The second attack, which occurred on May 7, was a deliberate attempt to pressure Instructure into ransom negotiations. The attackers defaced Canvas login pages with extortion messages, forcing several institutions to cancel or delay final exams BleepingComputer. In response, Instructure temporarily took the platform offline to remediate the vulnerabilities and implement additional safeguards. The company has since shut down the affected "Free-for-Teacher" accounts while restoring core services BleepingComputer.

Following the escalation, Instructure reached an agreement with ShinyHunters to halt the public leak and ensure the deletion of the stolen data. While Instructure did not explicitly confirm a ransom payment, the extortion group subsequently updated its leak site to claim the data had been destroyed and that institutions no longer needed to contact them BleepingComputer.

This incident highlights the significant risks posed to the education sector by centralized learning management systems. As the House Committee on Homeland Security seeks testimony from Instructure executives, the event underscores a growing pattern where threat actors target widely used infrastructure to maximize leverage through mass data exfiltration and operational disruption BleepingComputer.

Synthesized by Vypr AI