Earlier this month, ShinyHunters breached Instructure’s Canvas platform twice within a single week — stealing 3.65 terabytes of data from approximately 275 million users across more than 8,000 institutions. The group defaced login pages at hundreds of schools during final exam periods, forced Canvas offline, and extracted a ransom payment before Congress opened a formal investigation. The attack did not require exotic malware or zero-day exploits. Attackers entered through compromised “Free-For-Teacher” accounts, escalated rapidly, and exfiltrated sensitive data at scale before Instructure could contain them.

That sequence — entry through weak identity controls, rapid lateral movement, mass exfiltration, extortion, disruption — is now the standard playbook. It will happen again, unless the priority for security and technology leaders becomes reducing the blast radius of every intrusion before it happens.

The problem with how enterprises think about SaaS risk

Modern organizations have consolidated critical operations inside shared SaaS platforms, creating enormous concentrations of risk in single points of failure. When Canvas went down, thousands of students could not access coursework, faculty lost contact with their classes, and administrators scrambled to postpone exams. The scale of disruption came from how deeply institutions depended on Canvas, not from the vulnerability alone.

That asymmetry is the defining feature of SaaS risk in 2026. A single compromised account at a shared platform can trigger sector-wide operational failure. Yet most enterprise security frameworks still treat SaaS platforms primarily as availability problems — measured by uptime, recovery time objectives, and business continuity plans. Canvas exposed the gap in that thinking. Availability means nothing when the platform is operational but the data inside it has already been stolen.

Resilience in SaaS environments requires a harder and more honest premise: treat compromise as continuous and expected. Attackers will reach critical systems. The real test is how much they can take, how far they can move, and how long they can persist before detection and containment.

Identity is the perimeter now

The Canvas attack followed a pattern that has repeated across sectors for years. By compromising legitimate accounts with excessive standing privileges, the attackers moved laterally through Canvas infrastructure, maintained persistence, and exfiltrated data at a scale that took days to quantify.

Too many organizations still operate with fragmented identity controls, inconsistent privilege management, and limited visibility into how accounts interact across SaaS integrations. When attackers compromise a legitimate account, they inherit whatever access that account holds — and in most environments, that access far exceeds what the user actually needs. The result is that identity has become the most reliable attack surface in the modern enterprise, and most organizations are still treating it as a secondary concern.

Strong passwords and multifactor authentication are necessary but no longer sufficient. Enterprises need continuous identity verification, tightly scoped privileges, aggressive governance over third-party integrations, and real-time visibility into anomalous access patterns across SaaS systems. Identity governance cannot be a compliance checkbox. In cloud-native environments, it should be the primary control that determines how far an attacker can travels if they manage to get inside.

Data protection cannot stop at the application layer

Even organizations with strong identity controls face a second, underappreciated problem: the data stored inside SaaS platforms is often far less protected than the credentials used to access it.

Enterprises accumulate vast repositories of sensitive information inside SaaS environments — private messages, accommodation requests, financial records, personal disclosures — while relying almost entirely on application-level access controls to protect it. When those controls fail, as they did at Canvas, the data is immediately readable, searchable, and monetizable. 

Attackers do not need to crack anything. They simply take it.

Cryptographic protections — including encryption strategies that preserve organizational control over sensitive data even after it leaves the platform — directly reduce the value of a successful exfiltration. Stolen data that cannot be read or used is far less valuable as an extortion instrument. That distinction matters significantly in today’s threat environment, where the leverage attackers extract from stolen data often outlasts the breach itself.

The threat does not expire when the incident ends 

The “agreement” between Canvas’s parent company and attackers illustrates a risk that most organizations have not yet fully priced in. While Instructure received digital confirmation that the stolen data was destroyed, Congress opened an investigation anyway. The Instructure CEO has been called to testify before the House Homeland Security Committee. Affected institutions — many of which had no visibility into Instructure’s security posture or incident response capabilities — remain accountable for protecting student data they can no longer control.

That accountability gap will not close after Congress concludes its inquiry. Sensitive data stolen during incidents like Canvas retains value long after the breach itself. Adversaries increasingly collect encrypted data today with the expectation that it can be decrypted later as cryptographic standards age or quantum computing capabilities mature. This “harvest now, decrypt later” approach means that encryption protecting data only in the present still leaves organizations exposed downstream.

Strong cryptographic protection must therefore be paired with crypto-agility and post-quantum readiness. Security leaders should assume that any sensitive data exfiltrated during a SaaS breach may remain a target for years, not days. If stolen data remains immediately usable, attackers retain leverage indefinitely. If it does not, the economics of extortion shift.

What the Canvas breach actually demands

The lesson from Canvas is not that SaaS platforms are inherently insecure. They remain foundational to how modern organizations operate and scale. The lesson is that the assumptions underlying most enterprise security strategies — that prevention is the primary objective, that access controls are sufficient data protection, that recovery means restoring uptime — no longer match the realities of today’s threat environment.

Attackers have already internalized this. They target SaaS platforms precisely because the concentration of data and operational dependency makes them extraordinarily high-value targets. They exploit identity weaknesses because those weaknesses are pervasive and reliable. They apply extortion pressure because stolen data retains leverage long after technical remediation.

The organizations that close this gap — by treating identity governance as mission-critical infrastructure, implementing cryptographic protections that survive exfiltration, building recovery discipline alongside prevention, and planning for post-quantum exposure — will be significantly better positioned when the next breach arrives. And it will arrive. The only variable is how much it costs.

Rishi Kaushal is the CIO of Entrust, a company that helps organizations fight fraud and cyber threats with identity-centric security.

The post The Canvas breach proved that prevention is no longer enough appeared first on CyberScoop.

Media outlets have been understandably eager to learn whether Instructure paid ShinyHunters after the latter attacked them for a second time on May 7. Considering that they pledged to be more transparent, DataBreaches doesn’t fully understand why Instructure wasn’t more forthright about the payment issue in its update, unless they were trying to avoid encouraging...

Source

The Committee on Homeland Security has requested to be briefed on the incident and Instructure’s remediation steps.

The post Government to Scrutinize Instructure Over Canvas Disruption, Data Breach appeared first on SecurityWeek.

The company that operates online learning system Canvas said it struck a deal with hackers to delete the data they pilfered in a cyberattack that created chaos for students, many of them in the middle of finals.

The post Deal Reached With Hackers to Delete Data Stolen From the Canvas Educational Platform appeared first on SecurityWeek.

Instructure, the company behind Canvas, said it reached an agreement with the cybercriminals who threatened to leak a trove of sensitive data they claim was stolen during a prolonged cyberattack on the widely used education tech platform.

Pressure was mounting on the company as widespread outages left schools, students and teachers temporarily unable to access critical data late last week when the company took Canvas offline after the attackers defaced the platform’s login page. By Friday, the company said Canvas — a central hub for K-12 and university coursework, exams, grades and communication — was back online and fully operational. 

ShinyHunters, a decentralized crew of prolific cybercriminals that researchers affiliate with The Com, claimed responsibility for the attack on its data leak site and was attempting to extort the company for an unknown ransom amount. 

Instructure didn’t outright say it paid a ransom, but insisted the agreement provided all necessary assurances. “The data was returned to us. We received digital confirmation of data destruction (shred logs),” the company said in an update Monday.

“We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise,” the company added. “This agreement covers all impacted Instructure customers, and there is no need for individual customers to attempt to engage with the unauthorized actor.”

The threat group initially set a deadline of May 6 — four days after Instructure previously said the incident was contained — claiming it stole 3.65 terabytes of data spanning 275 million records across 8,809 school systems. 

When that deadline passed without payment, ShinyHunters escalated its pressure on the company by “injecting an extortion message directly into the Canvas login pages of roughly 330 institutions, and pivoted to school-by-school extortion with a current deadline of May 12,” Cynthia Kaiser, senior vice president of Halcyon’s Ransomware Research Center, told CyberScoop.

The additional public pressure prompted Infrastructure to take Canvas offline, disrupting schoolwork and access to critical systems nationwide. 

Instructure CEO Steve Daly apologized over the weekend for the company’s inconsistent communication and deficient public response to the cyberattack. 

“Over the past few days, many of you dealt with real disruption. Stress on your teams. Missed moments in the classroom. Questions you couldn’t get answered. You deserved more consistent communication from us, and we didn’t deliver it. I’m sorry for that,” he said in a statement.

Daly acknowledged that the attack, which remains under investigation aided by CrowdStrike, exposed usernames, email addresses, course names, enrollment information and messages. He insisted that course content, submissions and credentials were not compromised.

The temporary but widespread disruption has spurred broad concern across the education sector as ransomware experts and threat hunters continue to track developments. The cyberattack also caught the attention of lawmakers on Capitol Hill. 

The House Homeland Security Committee on Monday published a letter to Daly seeking a briefing with him or a senior leader at Instructure by May 21. 

“The recurrence of an intrusion within days of an initial breach disclosure, and Instructure’s apparent failure to fully remediate the underlying vulnerabilities during that window, raise serious questions about the company’s incident response capabilities and its obligations to the institutions and individuals whose data it holds,” House Homeland Security Chairman Andrew Garbarino, R-N.Y., wrote in the letter to Daly.

The committee wants to learn more about the “circumstances of both intrusions, the the nature and volume of data accessed, the steps Instructure has taken and is taking to contain the threat and notify affected institutions, and the adequacy of the company’s coordination with federal law enforcement and the Cybersecurity and Infrastructure Security Agency,” he added. 

CISA did not describe the extent of its involvement in Instructure’s response. “CISA is aware of a potential cyber incident affecting Canvas. As the nation’s cyber defense agency, we provide voluntary support and cybersecurity services to organizations in responding to and recovering from incidents,” Chris Butera, the agency’s acting executive assistant director for cybersecurity, said in a statement.

Instructure’s timeline of the attack has changed and remains incomplete. The company said it first detected unauthorized activity in Canvas on April 29 and immediately revoked the attacker’s access and initiated an incident response. Researchers not directly involved with the formal investigation said ShinyHunters gained access to Canvas at least a few days earlier.

The follow-on malicious activity on May 7 — the defacement of public login pages — was tied to the same incident, the company said. 

“We have since confirmed that the unauthorized actor carried out this activity by exploiting an issue related to our Free-For-Teacher accounts. This is the same issue that led to the unauthorized access the prior week. As a result, we have made the difficult decision to temporarily shut down Free-For-Teacher accounts,” the company said in an updated post about the incident.

Instructure did not answer questions about the vulnerability or explain how attackers intruded its systems. The company said it also revoked privileged credentials and access tokens for affected systems, rotated internal keys, restricted token creation pathways, and deployed additional security controls and monitoring.

Canvas is fully operational and safe to use, the company said, adding that CrowdStrike has reviewed known indicators of compromise and “found no evidence that the threat actor currently has access to the platform.”

Access still remains spotty and unavailable for some Canvas users as school districts restore the platform in phases after conducting their own internal checks.

Halcyon published an alert about the attack Friday, including a screenshot of the message that some school staff, guardians and students encountered before Instructure took the learning management system offline.

ShinyHunters is a notorious data theft extortion group that previously hit major cloud platforms, including Salesforce and Snowflake, via voice phishing, credential theft and supply-chain attacks. 

Education is a recurring and consistent target for cybercriminals, accounting for more than 250 ransomware attacks globally last year, according to Halcyon. 

Yet, the scope of the attack on Canvas “makes this one of the largest single education-sector exposures we’ve tracked,” Kaiser said.

“By compromising a shared platform used across thousands of schools, ShinyHunters hit the entire education sector in one move, which is the same playbook Clop ran against Oracle EBS customers last fall,” she added. “Among 2026 incidents against critical infrastructure, this is at or near the top for education-sector impact, and it highlights a trend of third-party software vendors now being part of an attack surface, and causing cascading effects across an entire sector.”

Cybersecurity professionals focused on ransomware and data theft extortion consistently encourage victims to not pay ransoms, but they also often acknowledge that companies have to make tough decisions based on their own interests and the security of their customers or users caught up in the aftermath.

Allison Nixon, chief research officer at Unit 221B, said the threat group claiming responsibility for the attack should not be trusted. 

“They are claiming they will delete the data after they are paid, and if they are not paid that they will leak the data,” she told CyberScoop. “This is in line with the past data extortion scams run by the same and related Com actors, who have made false statements to victims and to the public in the past.”

Instructure acknowledged that its agreement with the attackers isn’t ironclad. “While there is never complete certainty when dealing with cybercriminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible,” the company said.

Daly — a longtime security executive who was previously CEO at Ivanti — ended his mea culpa with a pledge to improve communications and provide a summary of a forensics report soon.

“Last week, we made a call to get the facts right before speaking publicly. That instinct isn’t wrong, but we got the balance wrong. We focused on fact-finding and went quiet when you needed consistent updates. You’ve been clear about that, and it’s fair feedback. We will change that moving forward,” he said. 

“Rebuilding trust takes time,” Daly added. “We’re going to earn it back through consistent action and honest communication.”

Update: May 12, 11:00 am: This story has been updated to reflect that Instructure announced they have reached a deal with ShinyHunters.

The post Instructure claims hackers returned stolen Canvas data after an extortion standoff appeared first on CyberScoop.

Tens of thousands of students studying for final exams around the world have regained access to a key online learning system after a cyberattack had earlier knocked it offline.

The post Canvas System Is Online After a Cyberattack Disrupted Thousands of Schools appeared first on SecurityWeek.

When Instructure did not contact ShinyHunters to negotiate any payment after ShinyHunters attacked them for a second time in April,  the threat actors threatened to leak every school’s data, and posted a notice telling schools how to contact them directly to avoid having their data leaked. When Instructure still didn’t contact them after that escalation, ...

Source

Hackers disrupted services and stole names, email addresses, student ID numbers, and user messages.

The post Edtech Firm Instructure Discloses Data Breach Amid Hacker Leak Threats appeared first on SecurityWeek.