Canvas cyberattack – House Homeland Security asks Instructure executives to testify after ShinyHunters breached Canvas twice, stealing data and disrupting exams.

A major U.S. congressional probe has been launched after a cyberattack targeting Instructure’s Canvas learning platform struck twice within a week, compromising student information and disrupting schools during critical exam periods.

The U.S.. House Committee on Homeland Security is calling on Instructure executives to testify about the incidents. according to a letter sent to Instructure CEO Steve Daly.. The committee says it is investigating the breach affecting millions of students and the educators and administrators who rely on Canvas as a daily tool for coursework. communication. and assessment.

In the letter, Committee Chairman Andrew R.. Garbarino said the cybercriminal group known as ShinyHunters breached Instructure twice in the span of one week.. The repeated nature of the attacks is central to the committee’s focus. which is aimed not only at what happened. but at how Instructure responded and what measures were put in place after the first intrusion.

Instructure first disclosed the breach on May 3.. The company later said it detected the intrusion on April 29 after threat actors compromised its systems and used Canvas to steal data belonging to students and school staff.. The committee’s letter frames the incident as affecting tens of millions who depend on the platform.

Instructure said the information exposed included names. email addresses. student identification numbers. and messages exchanged between students and teachers on the platform.. At the same time. the company stated that the compromised data did not include passwords. financial information. or government identifiers. a distinction that matters for understanding the potential downstream impact and risk.

The attack was later tied to a claim of responsibility by ShinyHunters. which said it was carrying out an extortion operation.. The group told reporting that it stole 280 million data records from thousands of education organizations and online education providers. and it posted lists of targeted institutions along with record counts that varied widely by school or district.

While one part of the incident involved the theft and exposure of data. the second breach shifted from data access to disruption.. ShinyHunters carried out a follow-up attack that defaced Canvas login portals at schools and universities across the United States. replacing normal access pages with extortion messages.

According to the report and the committee letter, the disruption occurred during final exams and end-of-semester activities in multiple states.. Some institutions were forced to cancel exams. underscoring how a compromise of a widely used platform can quickly turn from a cyber incident into an operational crisis affecting students on tight academic calendars.

Reporting also indicated that the attackers used multiple cross-site scripting (XSS) vulnerabilities to obtain authenticated admin sessions and alter the login portal pages.. That technical detail matters because it suggests the attackers were able to move from an initial weakness toward changes that impacted end users directly. without needing a separate long-term presence.

The committee letter also cites where disruptions tied to the incident were reported. naming schools in California. Florida. Georgia. Oklahoma. Oregon. Nevada. North Carolina. Tennessee. Utah. Virginia. and Wisconsin.. By listing the affected states, the committee is signaling that the consequences were broad enough to merit federal attention.

The letter further references messages in which attackers claimed they targeted Instructure again after the company refused to negotiate.. Extortion campaigns often use public pressure and deadlines to force responses. and the committee appears to be probing whether repeated compromises were connected to how the situation was handled after the first theft.

In recent developments. it was reported that shortly after ShinyHunters removed Instructure from its data leak site. Instructure disclosed it reached an agreement to stop the public leak and ensure the stolen data was deleted.. The committee did not treat that as an end point; instead. it framed the overall sequence of events as raising serious questions about how Instructure managed incidents.

The committee said repeated compromises raise concerns about Instructure’s incident response capabilities and its responsibilities to protect the data it stores.. For organizations running large-scale education platforms. the challenge is not just preventing intrusion. but responding in a way that limits both data exposure and platform downtime when attackers switch tactics from theft to disruption.

The committee is requesting that Instructure, or a senior representative, participate in a briefing no later than May 21.. The discussion is expected to cover both intrusions. the stolen data. containment and notification steps. and coordination with federal agencies. reflecting the committee’s interest in both technical mitigation and broader compliance and communication obligations.

For students. educators. and administrators. the immediate lesson is that learning management systems are operational infrastructure as much as they are software.. When an attacker can alter login pages during exams. the harm extends beyond information theft into academic continuity. making rapid recovery planning just as important as data security.

Instructure Canvas breach ShinyHunters cybersecurity extortion House Homeland Security probe cross-site scripting attacks education data security ransomware incident response