US House Committee Demands Briefing on Instructure Canvas Breach Affecting 275 Million Users
The US House Homeland Security Committee has summoned Instructure to a briefing after ShinyHunters exploited a Free-For-Teacher account flaw, stealing 3.65 TB of data affecting 275 million users across 9,000 institutions.
The US House Committee on Homeland Security has formally demanded that Instructure provide a detailed briefing on the cyberattacks that disrupted its widely used Canvas learning management system, according to a letter sent this week. The attacks, claimed by the notorious extortion group ShinyHunters, involved two separate intrusions on April 29 and May 7 that collectively stole 3.65 terabytes of data, including the personal information of 275 million students, teachers, and staff at approximately 9,000 educational institutions.
The first intrusion on April 29 caused widespread disruption of tools relying on API keys, which Instructure restored by May 3. However, the hackers returned on May 7, defacing school login portals and forcing the company to take services offline again. Instructure later revealed that an issue with its Free-For-Teacher accounts was exploited in both intrusions, leading the company to temporarily disable those accounts entirely.
"As a result, we have made the difficult decision to temporarily shut down Free-For-Teacher accounts. These accounts have been a core part of our platform, and we're committed to resolving the issues with these accounts," Instructure said on Monday. The company also disclosed that it struck a deal to have the stolen data returned and erased from the hackers' servers, and that the incident has been fully contained.
The Committee on Homeland Security is now demanding answers on how the intrusion occurred, what types of data were affected, and how the company resolved the attack. "The briefing should address the circumstances of both intrusions, the nature and volume of data accessed, the steps Instructure has taken and is taking to contain the threat and notify affected institutions, and the adequacy of the company's coordination with federal law enforcement and CISA," the Committee told Instructure in a letter.
According to the Committee, the May 7 disruption impacted universities and school districts across 11 states. The letter emphasized the severity of the situation, noting that "with students at more than 8,000 institutions navigating final examinations and end-of-semester deadlines, the disruption of a platform that Instructure itself describes as serving more than 30 million active users globally is a matter of national concern."
ShinyHunters has a well-documented history of high-profile attacks, including breaches of Ticketmaster, AT&T, and various educational institutions. The group's modus operandi typically involves extortion and data theft, making this incident particularly concerning given the sensitive nature of student and staff data involved.
The Committee's letter also highlighted the broader implications for the educational technology sector, stating that "the Committee takes seriously both the harm to students and educational institutions caused by this incident and the broader implications for how the educational technology sector manages and discloses cybersecurity risks." This incident serves as a stark reminder of the vulnerabilities inherent in widely adopted educational platforms and the critical need for robust security measures to protect sensitive student data.